Merge Pull Request from: @xiao_jiang_shui 
 
When the current HiSilicon USB xhci controller formats the faulty
U disk, it will trigger a controller exception error. This will
cause errors in the control logic of the xhci controller and
driver software. In the end, all USB devices on the xhci controller
cannot be used.

By introducing a noop command operation, restore the logic of the
xhci controller and driver software, and restore all USB devices
on the xhci controller to normal.

issue：https://gitee.com/openeuler/kernel/issues/I7DZ8S 
 
Link:https://gitee.com/openeuler/kernel/pulls/1159 

Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

Merge Pull Request from: @ci-robot 
 
PR sync from: Chen Zhongjin <chenzhongjin@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/7SX6VMPGMA422BLUDHM6SXV5PQWXROF3/ 
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1178 

Reviewed-by: Xu Kuohai <xukuohai@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhengchao Shao <shaozhengchao@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/SK6QSFRPHOL2JH4U7D5UFNAWUTGI6TVU/ 
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1177 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @ci-robot 
 
PR sync from: Hui Tang <tanghui20@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/F6YHNMQ56PAUXLHJIPNG3BLLMYQDTIH5/ 
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1133 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
Reviewed-by: sanglipeng <sanglipeng1@jd.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

mainline inclusion
from mainline-v6.4-rc1
commit 63264422
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7EK74
CVE: CVE-2023-3141

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=632644227850

--------------------------------

In r592_probe, dev->detect_timer was bound with r592_detect_timer.
In r592_irq function, the timer function will be invoked by mod_timer.

If we remove the module which will call hantro_release to make cleanup,
there may be a unfinished work. The possible sequence is as follows,
which will cause a typical UAF bug.

Fix it by canceling the work before cleanup in r592_remove.

CPU0                  CPU1

                    |r592_detect_timer
r592_remove         |
  memstick_free_host|
  put_device;       |
  kfree(host);      |
                    |
                    | queue_work
                    |   &host->media_checker //use
Signed-off-by: NZheng Wang <zyytlz.wz@163.com>
Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.comSigned-off-by: NUlf Hansson <ulf.hansson@linaro.org>
Signed-off-by: NChen Zhongjin <chenzhongjin@huawei.com>

stable inclusion
from stable-v5.10.183
commit 7c5c67aa294444b53f697dc3ddce61b33ff8badd
category: bugfix
bugzilla: 188914
CVE: CVE-2023-35788

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7c5c67aa294444b53f697dc3ddce61b33ff8badd

--------------------------------

[ Upstream commit 4d56304e ]

If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
size is 252 bytes(key->enc_opts.len = 252) then
key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
bypasses the next bounds check and results in an out-of-bounds.

Fixes: 0a6e7778 ("net/sched: allow flower to match tunnel options")
Signed-off-by: NHangyu Hua <hbh25y@gmail.com>
Reviewed-by: NSimon Horman <simon.horman@corigine.com>
Reviewed-by: NPieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.comSigned-off-by: NPaolo Abeni <pabeni@redhat.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>

Merge Pull Request from: @lixuefeng-loongson 
 
Add LoongArch maintainers to openEuler/MAINTAINERS.

Reference: https://gitee.com/openeuler/kernel-docs/blob/master/Kernel%20SIG/Meeting%20Record/2023/2023-06-16.md 
 
Link:https://gitee.com/openeuler/kernel/pulls/1157 

Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/582 
 
#I6NYW4

Fix a type cast bug in mm/oom 
 
Link:https://gitee.com/openeuler/kernel/pulls/1154 

Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhang Changzhong <zhangchangzhong@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/RIOXNQNOVQ5DSEVFMIG6YBDCEKDWMBOS/ 
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1162 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

LoongArch inclusion
category: doc
bugzilla: https://gitee.com/openeuler/kernel/issues/I7EKLJ

--------------------------------

Add LoongArch maintainers to openEuler/MAINTAINERS.
Signed-off-by: Nlixuefeng <lixuefeng@loongson.cn>

Merge Pull Request from: @ci-robot 
 
PR sync from:  Li Nan <linan122@huawei.com>
 https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/thread/4EEIPQOJKUZAK6RIRH5RREOILH6ZD3EC/ 
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1098 

Reviewed-by: zhangyi (F) <yi.zhang@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

mainline inclusion
from mainline-v6.2-rc7
commit 2b09d5d3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7C2TM
CVE: CVE-2023-3161

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b09d5d364986f724f17001ccfe4126b9b43a0be

--------------------------------

blit_x and blit_y are u32, so fbcon currently cannot support fonts
larger than 32x32.

The 32x32 case also needs shifting an unsigned int, to properly set bit
31, otherwise we get "UBSAN: shift-out-of-bounds in fbcon_set_font",
as reported on:

http://lore.kernel.org/all/IA1PR07MB98308653E259A6F2CE94A4AFABCE9@IA1PR07MB9830.namprd07.prod.outlook.com
Kernel Branch: 6.2.0-rc5-next-20230124
Kernel config: https://drive.google.com/file/d/1F-LszDAizEEH0ZX0HcSR06v5q8FPl2Uv/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1mP1jcLBY7vWCNM60OMf-ogw-urQRjNrm/view?usp=sharingReported-by: NSanan Hasanov <sanan.hasanov@Knights.ucf.edu>
Signed-off-by: NSamuel Thibault <samuel.thibault@ens-lyon.org>
Fixes: 2d2699d9 ("fbcon: font setting should check limitation of driver")
Cc: stable@vger.kernel.org
Tested-by: NMiko Larsson <mikoxyzzz@gmail.com>
Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NHelge Deller <deller@gmx.de>
Signed-off-by: NZhang Changzhong <zhangchangzhong@huawei.com>

driver inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7DZ8S
CVE: NA

----------------------------------------------------------------------

When the current HiSilicon USB xhci controller formats the faulty
U disk, it will trigger a controller exception error. This will
cause errors in the control logic of the xhci controller and
driver software. In the end, all USB devices on the xhci controller
cannot be used.

By introducing a noop command operation, restore the logic of the
xhci controller and driver software, and restore all USB devices
on the xhci controller to normal.
Signed-off-by: NLongfang Liu <liulongfang@huawei.com>

Merge Pull Request from: @xia-bing1 
 
This series contain some fixes including:
-Add slave_destroy interface for v3 hw
-Try more retries of START_STOP when resuming scsi device
-Block requests before take debugfs snapshot
-Check usage count only when the runtime PM status is RPM_SUSPENDING 
 
Link:https://gitee.com/openeuler/kernel/pulls/1107 

Reviewed-by: Yihang Li <liyihang9@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6NYW4
CVE: NA

--------------------------------

raw call flow:

oom_kill_process
  -> mem_cgroup_scan_tasks(.., .., message)
    -> memcg_print_bad_task(message, ..)

message is "const char*" type, and incorrectly cast to
"oom_control*" type in memcg_print_bad_task.

Fix it by moving memcg_print_bad_task out of mem_cgroup_scan_tasks
and call it in select_bad_process and dump_tasks. Furthermore,
use struct oom_control* directly and remove the useless parm `ret`.
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: NKang Chen <void0red@hust.edu.cn>
(cherry picked from commit 789038c7)

Merge Pull Request from: @youquan_song 
 
EDAC/i10nm: Add Intel Emerald Rapids server support

The Emerald Rapids CPU model uses similar memory controller registers
as Sapphire Rapids server. Add Emerald Rapids CPU model number ID for
EDAC support.

bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I7DZRN

[Testing]
dmesg - check i10nm_edac load 
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1150 

Reviewed-by: Jun Tian <jun.j.tian@intel.com> 
Reviewed-by: Jason Zeng <jason.zeng@intel.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

mainline inclusion
from mainline-v6.3-rc1
commit e4b2bc66
category: feature
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I7DZRN
CVE: NA

Intel-SIG: commit e4b2bc66 EDAC/i10nm: Add Intel Emerald Rapids server support.
Backport to decode memory error for Intel Emerald Rapids server.

--------------------------------

The Emerald Rapids CPU model uses similar memory controller registers
as Sapphire Rapids server. Add Emerald Rapids CPU model number ID for
EDAC support.
Tested-by: NLi Zhang <li4.zhang@intel.com>
Signed-off-by: NQiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: NTony Luck <tony.luck@intel.com>
Link: https://lore.kernel.org/all/20230113032802.41752-1-qiuxu.zhuo@intel.com
[ Youquan Song: amend commit log ]
Signed-off-by: NYouquan Song <youquan.song@intel.com>

Merge Pull Request from: @ci-robot 
 
PR sync from: ZhaoLong Wang <wangzhaolong1@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/ID2Q7S2KSELYENBGS2BVZCEVGEP4WKO2/ 
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1136 

Reviewed-by: zhangyi (F) <yi.zhang@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @bitcoffee 
 
In the kernel, Kmesh forwards customer requests to actual backend service nodes through Layer 7 orchestration. This capability is per flow. When sending msg for the first time, Kmesh parses user Layer 7 packets and completes orchestration to complete link establishment. This requires that the pseudo link be established in the connect phase and the actual link be established in the sendmsg phase.
Therefore, the following modifications are involved:
1. The ULP framework needs to be supported in the connect phase. The l4 connect function needs to be replaced with the user-defined connect function.
2. After the L4 connect function is invoked, the L3 function can invoke the actual link establishment logic based on the error code and modify the return value of inet_stream_connect at the L3 layer.
3. In the sendmsg message, you can determine whether the delay in link setup is enabled based on the sock status.

Submission Instructions:
1. Add a writeable_tracepoint to modify the return value of __inet_stream_connect in inet_stream_connect.
2. The bpf_defer_connect flag is added to indicate whether the ebpf defer connect delay link establishment logic is enabled.
3. The ULP framework is added to support the ebpf program. The ULP framework can be used in the ebpf program.
4. A call type in sockops is added. This type is used to invoke the ebpf program in the kernel module and identify it when Kmesh delays link establishment. 
 
Link:https://gitee.com/openeuler/kernel/pulls/948 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1081 
 
PR sync from:  Liu Jian <liujian56@huawei.com>
 https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/thread/24ZK7TI2Q55BY7U53AB2LYQUFTABZR4L/ 
some backport bugfix for sockmap

Cong Wang (1):
  bpf, sock_map: Move cancel_work_sync() out of sock lock

Eric Dumazet (1):
  net: deal with most data-races in sk_wait_event()

Jakub Sitnicki (2):
  bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener
  bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself

Pengcheng Yang (3):
  bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data
  bpf, sockmap: Fix missing BPF_F_INGRESS flag when using apply_bytes
  bpf, sockmap: Fix data loss caused by using apply_bytes on ingress
    redirect

Wang Yufen (1):
  bpf, sockmap: Fix the sk->sk_forward_alloc warning of
    sk_stream_kill_queues

zhangmingyi (1):
  bpf: fix bpf_tcp_ingress addr use after free


-- 
2.34.1
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1131 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

mainline inclusion
from mainline-v6.4-rc2
commit 504a10d9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7CXJL
CVE: CVE-2023-3212

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=504a10d9e46bc37b23d0a1ae2f28973c8516e636

--------------------------------

On corrupt gfs2 file systems the evict code can try to reference the
journal descriptor structure, jdesc, after it has been freed and set to
NULL. The sequence of events is:

init_journal()
...
fail_jindex:
   gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL
      if (gfs2_holder_initialized(&ji_gh))
         gfs2_glock_dq_uninit(&ji_gh);
fail:
   iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode
      evict()
         gfs2_evict_inode()
            evict_linked_inode()
               ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks);
<------references the now freed/zeroed sd_jdesc pointer.

The call to gfs2_trans_begin is done because the truncate_inode_pages
call can cause gfs2 events that require a transaction, such as removing
journaled data (jdata) blocks from the journal.

This patch fixes the problem by adding a check for sdp->sd_jdesc to
function gfs2_evict_inode. In theory, this should only happen to corrupt
gfs2 file systems, when gfs2 detects the problem, reports it, then tries
to evict all the system inodes it has read in up to that point.
Reported-by: NYang Lan <lanyang0908@gmail.com>
Signed-off-by: NBob Peterson <rpeterso@redhat.com>
Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: NZhaoLong Wang <wangzhaolong1@huawei.com>

Conflicts:
        fs/gfs2/super.c

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7D76D

--------------------------------

Add cmdline of 'noqossched' which is enable by default.
Use the static key to reduce noise for multi level prio,
smt expell and prio load balance.
Signed-off-by: NHui Tang <tanghui20@huawei.com>

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1069 
 
PR sync from:  Yu Liao <liaoyu15@huawei.com>
 https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/thread/CQNKMRKUYC4EDBYHOMD6CXZQPZEJBMFY/ 
This patch series support ACPI for MPAM 2.0.

v5: fix unused variable warning.

v4: add PPTT null check to prevent NULL pointer deference.


Erik Kaneda (1):
  ACPICA: ACPI 6.4: PPTT: add new version of subtable type 1

Hesham Almatary (1):
  ACPICA: Add support for Arm's MPAM ACPI table version 2

Yu Liao (2):
  ACPI / PPTT: Find PPTT processor node by cache id
  ACPI/MPAM: Adapt to Arm's MPAM ACPI table version 2


-- 
2.25.1
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1071 

Reviewed-by: Wang ShaoBo <bobo.shaobowang@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @lujunhuaHW 
 
The Synopsis DesignWare DW_apb_ssi specifications version 3.23 onward
define a 32-bits maximum transfer size synthesis parameter
(SSI_MAX_XFER_SIZE=32) in addition to the legacy 16-bits configuration
(SSI_MAX_XFER_SIZE=16) for SPI controllers. When SSI_MAX_XFER_SIZE=32,
the layout of the ctrlr0 register changes, moving the data frame format
field from bits [3..0] to bits [16..20], and the RX/TX FIFO word size
can be up to 32-bits.

To support this new format, introduce the DW SPI capability flag
DW_SPI_CAP_DFS32 to indicate that a controller is configured with
SSI_MAX_XFER_SIZE=32. Since SSI_MAX_XFER_SIZE is a controller synthesis
parameter not accessible through a register, the detection of this
parameter value is done in spi_hw_init() by writing and reading the
ctrlr0 register and testing the value of bits [3..0]. These bits are
ignored (unchanged) for SSI_MAX_XFER_SIZE=16, allowing the detection.
If a DFS32 capable SPI controller is detected, the new field dfs_offset
in struct dw_spi is set to SPI_DFS32_OFFSET (16).

dw_spi_update_config() is modified to set the data frame size field at
the correct position is the CTRLR0 register, as indicated by the
dfs_offset field of the dw_spi structure.

The DW_SPI_CAP_DFS32 flag is also unconditionally set for SPI slave
controllers, e.g. controllers that have the DW_SPI_CAP_DWC_SSI
capability flag set. However, for these ssi controllers, the dfs_offset
field is set to 0 as before (as per specifications).

Finally, for any controller with the DW_SPI_CAP_DFS32 capability flag
set, dw_spi_add_host() extends the value of bits_per_word_mask from
16-bits to 32-bits. dw_reader() and dw_writer() are also modified to
handle 32-bits iTX/RX FIFO words.
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1023 

Reviewed-by: sanglipeng <sanglipeng1@jd.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1042 
 
PR sync from:  Liu Jian <liujian56@huawei.com>
 https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/thread/XZRFZY2DDUQG3YGA4NRUPJDCHSZ77ENA/ 
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1075 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

euleros inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I545NW
CVE: NA

--------------------------------

fix a bug in bpf_tcp_ingress(), addr use after free
Signed-off-by: Nzhangmingyi <zhangmingyi5@huawei.com>
Reviewed-by: Nliuxin <liuxin350@huawei.com>
Reviewed-by: Nwuchangye <wuchangye@huawei.com>
Fixes: 8818e269 ("bpf, sockmap: Add sk_rmem_alloc check for sockmap")
Signed-off-by: NLiu Jian <liujian56@huawei.com>
(cherry picked from commit 46613645)

stable inclusion
from stable-v5.10.181
commit 4493914009609d6351b3a41dfe3b0ac5209bd4c6
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I65HYE
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4493914009609d6351b3a41dfe3b0ac5209bd4c6

---------------------------

[ Upstream commit d0ac89f6 ]

__condition is evaluated twice in sk_wait_event() macro.

First invocation is lockless, and reads can race with writes,
as spotted by syzbot.

BUG: KCSAN: data-race in sk_stream_wait_connect / tcp_disconnect

write to 0xffff88812d83d6a0 of 4 bytes by task 9065 on cpu 1:
tcp_disconnect+0x2cd/0xdb0
inet_shutdown+0x19e/0x1f0 net/ipv4/af_inet.c:911
__sys_shutdown_sock net/socket.c:2343 [inline]
__sys_shutdown net/socket.c:2355 [inline]
__do_sys_shutdown net/socket.c:2363 [inline]
__se_sys_shutdown+0xf8/0x140 net/socket.c:2361
__x64_sys_shutdown+0x31/0x40 net/socket.c:2361
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffff88812d83d6a0 of 4 bytes by task 9040 on cpu 0:
sk_stream_wait_connect+0x1de/0x3a0 net/core/stream.c:75
tcp_sendmsg_locked+0x2e4/0x2120 net/ipv4/tcp.c:1266
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1484
inet6_sendmsg+0x63/0x80 net/ipv6/af_inet6.c:651
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
__sys_sendto+0x246/0x300 net/socket.c:2142
__do_sys_sendto net/socket.c:2154 [inline]
__se_sys_sendto net/socket.c:2150 [inline]
__x64_sys_sendto+0x78/0x90 net/socket.c:2150
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0x00000000 -> 0x00000068

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Reported-by: Nsyzbot <syzkaller@googlegroups.com>
Signed-off-by: NEric Dumazet <edumazet@google.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NLiu Jian <liujian56@huawei.com>
(cherry picked from commit 7695e960)

mainline inclusion
from mainline-v6.2-rc7
commit 5b4a79ba
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I65HYE
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5b4a79ba65a1ab479903fff2e604865d229b70a9

---------------------------

sock_map proto callbacks should never call themselves by design. Protect
against bugs like [1] and break out of the recursive loop to avoid a stack
overflow in favor of a resource leak.

[1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/Suggested-by: NEric Dumazet <edumazet@google.com>
Signed-off-by: NJakub Sitnicki <jakub@cloudflare.com>
Acked-by: NJohn Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-1-1e0ee7ac2f90@cloudflare.comSigned-off-by: NAlexei Starovoitov <ast@kernel.org>
Signed-off-by: NLiu Jian <liujian56@huawei.com>
(cherry picked from commit 5a74e1a8)

stable inclusion
from stable-v5.10.168
commit 9bd6074e1872d22190a8da30e796cbf937d334f0
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6IXN2
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9bd6074e1872d22190a8da30e796cbf937d334f0

--------------------------------

[ Upstream commit ddce1e09 ]

A listening socket linked to a sockmap has its sk_prot overridden. It
points to one of the struct proto variants in tcp_bpf_prots. The variant
depends on the socket's family and which sockmap programs are attached.

A child socket cloned from a TCP listener initially inherits their sk_prot.
But before cloning is finished, we restore the child's proto to the
listener's original non-tcp_bpf_prots one. This happens in
tcp_create_openreq_child -> tcp_bpf_clone.

Today, in tcp_bpf_clone we detect if the child's proto should be restored
by checking only for the TCP_BPF_BASE proto variant. This is not
correct. The sk_prot of listening socket linked to a sockmap can point to
to any variant in tcp_bpf_prots.

If the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then
the child socket unintentionally is left if the inherited sk_prot by
tcp_bpf_clone.

This leads to issues like infinite recursion on close [1], because the
child state is otherwise not set up for use with tcp_bpf_prot operations.

Adjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants.

Note that it wouldn't be sufficient to check the socket state when
overriding the sk_prot in tcp_bpf_update_proto in order to always use the
TCP_BPF_BASE variant for listening sockets. Since commit
b8b8315e ("bpf, sockmap: Remove unhash handler for BPF sockmap usage")
it is possible for a socket to transition to TCP_LISTEN state while already
linked to a sockmap, e.g. connect() -> insert into map ->
connect(AF_UNSPEC) -> listen().

[1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/

Fixes: e8025155 ("tcp_bpf: Don't let child socket inherit parent protocol ops on copy")
Reported-by: syzbot+04c21ed96d861dccc5cd@syzkaller.appspotmail.com
Signed-off-by: NJakub Sitnicki <jakub@cloudflare.com>
Acked-by: NJohn Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-2-1e0ee7ac2f90@cloudflare.comSigned-off-by: NAlexei Starovoitov <ast@kernel.org>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NWang Hai <wanghai38@huawei.com>
Signed-off-by: NLiu Jian <liujian56@huawei.com>
(cherry picked from commit 839eee17)

stable inclusion
from stable-v5.10.163
commit c58df40e3e67fd7603290b5dd24c47cdc1f9ef74
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6AVM6
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c58df40e3e67fd7603290b5dd24c47cdc1f9ef74

--------------------------------

[ Upstream commit 9072931f ]

Use apply_bytes on ingress redirect, when apply_bytes is less than
the length of msg data, some data may be skipped and lost in
bpf_tcp_ingress().

If there is still data in the scatterlist that has not been consumed,
we cannot move the msg iter.

Fixes: 604326b4 ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: NPengcheng Yang <yangpc@wangsu.com>
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Acked-by: NJakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/1669718441-2654-4-git-send-email-yangpc@wangsu.comSigned-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NWang Hai <wanghai38@huawei.com>
Signed-off-by: NLiu Jian <liujian56@huawei.com>
(cherry picked from commit 5a4552f3)

mainline inclusion
from mainline-v6.2-rc1
commit a351d608
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I65HYE
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a351d6087bf7d3d8440d58d3bf244ec64b89394a

---------------------------

When redirecting, we use sk_msg_to_ingress() to get the BPF_F_INGRESS
flag from the msg->flags. If apply_bytes is used and it is larger than
the current data being processed, sk_psock_msg_verdict() will not be
called when sendmsg() is called again. At this time, the msg->flags is 0,
and we lost the BPF_F_INGRESS flag.

So we need to save the BPF_F_INGRESS flag in sk_psock and use it when
redirection.

Fixes: 8934ce2f ("bpf: sockmap redirect ingress support")
Signed-off-by: NPengcheng Yang <yangpc@wangsu.com>
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Acked-by: NJakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/1669718441-2654-3-git-send-email-yangpc@wangsu.comSigned-off-by: NLiu Jian <liujian56@huawei.com>

Conflicts:
	include/net/tcp.h
(cherry picked from commit b67daf1b)

stable inclusion
from stable-v5.10.163
commit 28e4a763cd4a2b1a78852216ef4bd7df3a05cec6
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6AVM6
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=28e4a763cd4a2b1a78852216ef4bd7df3a05cec6

--------------------------------

[ Upstream commit 7a9841ca ]

In tcp_bpf_send_verdict() redirection, the eval variable is assigned to
__SK_REDIRECT after the apply_bytes data is sent, if msg has more_data,
sock_put() will be called multiple times.

We should reset the eval variable to __SK_NONE every time more_data
starts.

This causes:

IPv4: Attempt to release TCP socket in state 1 00000000b4c925d7
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110
Modules linked in:
CPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1
Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014
Call Trace:
 <TASK>
 __tcp_transmit_skb+0xa1b/0xb90
 ? __alloc_skb+0x8c/0x1a0
 ? __kmalloc_node_track_caller+0x184/0x320
 tcp_write_xmit+0x22a/0x1110
 __tcp_push_pending_frames+0x32/0xf0
 do_tcp_sendpages+0x62d/0x640
 tcp_bpf_push+0xae/0x2c0
 tcp_bpf_sendmsg_redir+0x260/0x410
 ? preempt_count_add+0x70/0xa0
 tcp_bpf_send_verdict+0x386/0x4b0
 tcp_bpf_sendmsg+0x21b/0x3b0
 sock_sendmsg+0x58/0x70
 __sys_sendto+0xfa/0x170
 ? xfd_validate_state+0x1d/0x80
 ? switch_fpu_return+0x59/0xe0
 __x64_sys_sendto+0x24/0x30
 do_syscall_64+0x37/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: cd9733f5 ("tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function")
Signed-off-by: NPengcheng Yang <yangpc@wangsu.com>
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Acked-by: NJakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/1669718441-2654-2-git-send-email-yangpc@wangsu.comSigned-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NWang Hai <wanghai38@huawei.com>
Signed-off-by: NLiu Jian <liujian56@huawei.com>
(cherry picked from commit 48c7aa19)

mainline inclusion
from mainline-v6.1-rc5
commit 8bbabb3f
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I65HYE
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8bbabb3fddcd0f858be69ed5abc9b470a239d6f2

---------------------------

Stanislav reported a lockdep warning, which is caused by the
cancel_work_sync() called inside sock_map_close(), as analyzed
below by Jakub:

psock->work.func = sk_psock_backlog()
  ACQUIRE psock->work_mutex
    sk_psock_handle_skb()
      skb_send_sock()
        __skb_send_sock()
          sendpage_unlocked()
            kernel_sendpage()
              sock->ops->sendpage = inet_sendpage()
                sk->sk_prot->sendpage = tcp_sendpage()
                  ACQUIRE sk->sk_lock
                    tcp_sendpage_locked()
                  RELEASE sk->sk_lock
  RELEASE psock->work_mutex

sock_map_close()
  ACQUIRE sk->sk_lock
  sk_psock_stop()
    sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED)
    cancel_work_sync()
      __cancel_work_timer()
        __flush_work()
          // wait for psock->work to finish
  RELEASE sk->sk_lock

We can move the cancel_work_sync() out of the sock lock protection,
but still before saved_close() was called.

Fixes: 799aa7f9 ("skmsg: Avoid lock_sock() in sk_psock_backlog()")
Reported-by: NStanislav Fomichev <sdf@google.com>
Signed-off-by: NCong Wang <cong.wang@bytedance.com>
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Tested-by: NJakub Sitnicki <jakub@cloudflare.com>
Acked-by: NJohn Fastabend <john.fastabend@gmail.com>
Acked-by: NJakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/20221102043417.279409-1-xiyou.wangcong@gmail.com
(cherry picked from commit 8bbabb3f)
Signed-off-by: NLiu Jian <liujian56@huawei.com>

Conflicts:
	net/core/skmsg.c
(cherry picked from commit a4aa9897)

stable inclusion
from stable-v5.10.155
commit cc21dc48a78cc9e5af9a4d039cd456446a6e73ff
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I64YCD
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=cc21dc48a78cc9e5af9a4d039cd456446a6e73ff

--------------------------------

[ Upstream commit 8ec95b94 ]

When running `test_sockmap` selftests, the following warning appears:

  WARNING: CPU: 2 PID: 197 at net/core/stream.c:205 sk_stream_kill_queues+0xd3/0xf0
  Call Trace:
  <TASK>
  inet_csk_destroy_sock+0x55/0x110
  tcp_rcv_state_process+0xd28/0x1380
  ? tcp_v4_do_rcv+0x77/0x2c0
  tcp_v4_do_rcv+0x77/0x2c0
  __release_sock+0x106/0x130
  __tcp_close+0x1a7/0x4e0
  tcp_close+0x20/0x70
  inet_release+0x3c/0x80
  __sock_release+0x3a/0xb0
  sock_close+0x14/0x20
  __fput+0xa3/0x260
  task_work_run+0x59/0xb0
  exit_to_user_mode_prepare+0x1b3/0x1c0
  syscall_exit_to_user_mode+0x19/0x50
  do_syscall_64+0x48/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae

The root case is in commit 84472b43 ("bpf, sockmap: Fix more uncharged
while msg has more_data"), where I used msg->sg.size to replace the tosend,
causing breakage:

  if (msg->apply_bytes && msg->apply_bytes < tosend)
    tosend = psock->apply_bytes;

Fixes: 84472b43 ("bpf, sockmap: Fix more uncharged while msg has more_data")
Reported-by: NJakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: NWang Yufen <wangyufen@huawei.com>
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Acked-by: NJohn Fastabend <john.fastabend@gmail.com>
Acked-by: NJakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/1667266296-8794-1-git-send-email-wangyufen@huawei.comSigned-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NChen Jiahao <chenjiahao16@huawei.com>
Signed-off-by: NLiu Jian <liujian56@huawei.com>
(cherry picked from commit 86404036)

Merge Pull Request from: @did-you-collect-the-wool-today 
 
virt inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7BQMW
CVE: NA

-----------------------------------------------------------------

The deafault value of NR_IRQS is not sufficient to support GICv4.1
features and ~56K LPIs. This parameter would be too small for certain
server platforms where it has many IO devices and is capable of
direct injection of vSGI and vLPI features.

Currently, maximum of 64 + 8192 (IRQ_BITMAP_BITS) IRQ descriptors
are allowed. The vCPU creation fails after reaching count ~400 with
kvm-arm.vgic_v4_enable=1.

This patch increases NR_IRQS to 1^19 to cover 56K LPIs and 262144
vSGIs (16vPEs x 16).

------------------------------------------------------------------

Tips: Tish is a temporary fix[1], but it has been able to solve the
problem. The latest upstream version[2] depends on the 'maple tree',
which is inappropriately introduced to the current kernel.

-------------------------------------------------------------------

Another Tips: According to Chao Liu and Chang Liao's suggestion,
modifying IRQ_BITMAP_BITS can achieve the same effect with less
impact. Compared with solution[2], solution[1] has a disadvantage:
the memory foot print increases as the number of VMs increases.

Link: https://lore.kernel.org/linux-arm-kernel/20230104023738.1258925-1-sdonthineni@nvidia.com/ [1]
Link: https://lore.kernel.org/all/20230519134902.1495562-1-sdonthineni@nvidia.com/#t [2]
Signed-off-by: NShanker Donthineni <sdonthineni@nvidia.com>
Signed-off-by: NChao Liu <liuchao173@huawei.com>
Signed-off-by: NChang Liao <liaochang1@huawei.com>
Signed-off-by: Kunkun Jiang <jiangkunkun@huawei.com> 
 
Link:https://gitee.com/openeuler/kernel/pulls/991 

Reviewed-by: Liu Chao <liuchao173@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @ci-robot 
 
PR sync from:  Peng Zhang <zhangpeng362@huawei.com>
 https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/thread/GRJWIT22G2QJFYJL64FIBD6E7V5TTDY5/ 
From: ZhangPeng <zhangpeng362@huawei.com>

Fix Fuzz test BUG_ON and failure to swap out large memory. Two userswap
bugfixes synchronized from hulk5.10.

ZhangPeng (2):
  userswap: fix BUG_ON in userfaultfd_release()
  userswap: fix kmalloc ENOMEM failed for a large memory


-- 
2.25.1
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1115 

Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @svishen 
 
This pull Requests refactor hclge_mac_link_status_wait and add wait until mac link down

issue:
https://gitee.com/openeuler/kernel/issues/I7D6IP 
 
Link:https://gitee.com/openeuler/kernel/pulls/1113 

Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

Merge Pull Request from: @Hongchen_Zhang 
 
7A1000 int_clear register should be write 64bit aligned. 
 
Link:https://gitee.com/openeuler/kernel/pulls/1084 

Reviewed-by: Guo Dongtai <guodongtai@kylinos.cn> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

Merge Pull Request from: @Hongchen_Zhang 
 
when we test the 2k500 bmc,the system hang when send the following command:
[loongson@localhost ~]# ipmi mc reset cold

After apply this PR,the problem disappeared. 
 
Link:https://gitee.com/openeuler/kernel/pulls/1083 

Reviewed-by: Guo Dongtai <guodongtai@kylinos.cn> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6CAIM

--------------------------------

If the swapped-out memory is large, such as tens of gigabytes, we will
allocate a large management structure, which may be tens of megabytes or
hundreds of megabytes. So if we use kmalloc to allocate management
structures it may fail.
Fix this by changing kmalloc to kvzalloc and kfree to kvfree.
Signed-off-by: NZhangPeng <zhangpeng362@huawei.com>