提交 · a16bd8bc5414d580dd35815700c7538f109d5dd3 · openeuler / Kernel

25 2月, 2023 15 次提交

bpf: make sure skb->len != 0 when redirecting to a tunneling device · a16bd8bc

由 Stanislav Fomichev 提交于 2月 22, 2023

stable inclusion
from stable-v5.10.163
commit 6d935a02658be82585ecb39aab339faa84496650
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6AVM6

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6d935a02658be82585ecb39aab339faa84496650

--------------------------------

[ Upstream commit 07ec7b50 ]

syzkaller managed to trigger another case where skb->len == 0
when we enter __dev_queue_xmit:

WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]
WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295

Call Trace:
 dev_queue_xmit+0x17/0x20 net/core/dev.c:4406
 __bpf_tx_skb net/core/filter.c:2115 [inline]
 __bpf_redirect_no_mac net/core/filter.c:2140 [inline]
 __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163
 ____bpf_clone_redirect net/core/filter.c:2447 [inline]
 bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419
 bpf_prog_48159a89cb4a9a16+0x59/0x5e
 bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]
 __bpf_prog_run include/linux/filter.h:596 [inline]
 bpf_prog_run include/linux/filter.h:603 [inline]
 bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402
 bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170
 bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648
 __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005
 __do_sys_bpf kernel/bpf/syscall.c:5091 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5089 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089
 do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48
 entry_SYSCALL_64_after_hwframe+0x61/0xc6

The reproducer doesn't really reproduce outside of syzkaller
environment, so I'm taking a guess here. It looks like we
do generate correct ETH_HLEN-sized packet, but we redirect
the packet to the tunneling device. Before we do so, we
__skb_pull l2 header and arrive again at skb->len == 0.
Doesn't seem like we can do anything better than having
an explicit check after __skb_pull?

Cc: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+f635e86ec3fa0a37e019@syzkaller.appspotmail.com
Signed-off-by: NStanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/r/20221027225537.353077-1-sdf@google.comSigned-off-by: NMartin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NLiu Jian <liujian56@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

a16bd8bc

raw: fix KABI for backporting raw RCU conversion patches · 1d070720

由 Ziyang Xuan 提交于 2月 22, 2023

Offering: HULK
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ECEK
CVE: NA

--------------------------------

In order to fix softlockup problem in raw sockets because global rwlock,
backport "raw: RCU conversion" series patches. That will introduce KABI
changes. This patch is to fix KABI changes.
Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

1d070720

ipv6: Fix crash when IPv6 is administratively disabled · 512fcae2

由 Ido Schimmel 提交于 2月 22, 2023

mainline inclusion
from mainline-v6.0-rc7
commit 76dd0728
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ECEK
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76dd07281338da6951fdab3432ced843fa87839c

--------------------------------

The global 'raw_v6_hashinfo' variable can be accessed even when IPv6 is
administratively disabled via the 'ipv6.disable=1' kernel command line
option, leading to a crash [1].

Fix by restoring the original behavior and always initializing the
variable, regardless of IPv6 support being administratively disabled or
not.

[1]
 BUG: unable to handle page fault for address: ffffffffffffffc8
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 173e18067 P4D 173e18067 PUD 173e1a067 PMD 0
 Oops: 0000 [#1] PREEMPT SMP KASAN
 CPU: 3 PID: 271 Comm: ss Not tainted 6.0.0-rc4-custom-00136-g0727a9a5 #1396
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
 RIP: 0010:raw_diag_dump+0x310/0x7f0
 [...]
 Call Trace:
  <TASK>
  __inet_diag_dump+0x10f/0x2e0
  netlink_dump+0x575/0xfd0
  __netlink_dump_start+0x67b/0x940
  inet_diag_handler_cmd+0x273/0x2d0
  sock_diag_rcv_msg+0x317/0x440
  netlink_rcv_skb+0x15e/0x430
  sock_diag_rcv+0x2b/0x40
  netlink_unicast+0x53b/0x800
  netlink_sendmsg+0x945/0xe60
  ____sys_sendmsg+0x747/0x960
  ___sys_sendmsg+0x13a/0x1e0
  __sys_sendmsg+0x118/0x1e0
  do_syscall_64+0x34/0x80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Fixes: 0daf07e5 ("raw: convert raw sockets to RCU")
Reported-by: NRoberto Ricci <rroberto2r@gmail.com>
Tested-by: NRoberto Ricci <rroberto2r@gmail.com>
Signed-off-by: NIdo Schimmel <idosch@nvidia.com>
Reviewed-by: NDavid Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20220916084821.229287-1-idosch@nvidia.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

512fcae2

raw: remove unused variables from raw6_icmp_error() · eff0d9a8

由 Eric Dumazet 提交于 2月 22, 2023

mainline inclusion
from mainline-v6.0-rc1
commit c4fceb46
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ECEK
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c4fceb46add65481ef0dfb79cad24c3c269b4cad

--------------------------------

saddr and daddr are set but not used.

Fixes: ba44f818 ("raw: use more conventional iterators")
Reported-by: Nkernel test robot <lkp@intel.com>
Signed-off-by: NEric Dumazet <edumazet@google.com>
Acked-by: NJonathan Lemon <jonathan.lemon@gmail.com>
Link: https://lore.kernel.org/r/20220622032303.159394-1-edumazet@google.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

eff0d9a8

raw: fix a typo in raw_icmp_error() · bf9c43a1

由 Eric Dumazet 提交于 2月 22, 2023

mainline inclusion
from mainline-v6.0-rc1
commit 97a4d46b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ECEK
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=97a4d46b1516250d640c1ae0c9e7129d160d6a1c

--------------------------------

I accidentally broke IPv4 traceroute, by swapping iph->saddr
and iph->daddr.

Probably because raw_icmp_error() and raw_v4_input()
use different order for iph->saddr and iph->daddr.

Fixes: ba44f818 ("raw: use more conventional iterators")
Reported-by: NJohn Sperbeck <jsperbeck@google.com>
Signed-off-by: NEric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20220623193540.2851799-1-edumazet@google.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

bf9c43a1

raw: complete rcu conversion · d8d4181d

由 Eric Dumazet 提交于 2月 22, 2023

mainline inclusion
from mainline-v6.0-rc1
commit af185d8c
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ECEK
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=af185d8c76333daa877678e0166a7b45e63bf3c4

--------------------------------

raw_diag_dump() can use rcu_read_lock() instead of read_lock()

Now the hashinfo lock is only used from process context,
in write mode only, we can convert it to a spinlock,
and we do not need to block BH anymore.
Signed-off-by: NEric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20220620100509.3493504-1-eric.dumazet@gmail.comSigned-off-by: NPaolo Abeni <pabeni@redhat.com>
Conflicts:
	net/ipv4/raw.c
Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

d8d4181d

raw: Use helpers for the hlist_nulls variant. · b9df2cce

由 Kuniyuki Iwashima 提交于 2月 22, 2023

mainline inclusion
from mainline-v6.0-rc1
commit f289c02b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ECEK
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f289c02bf41b55fbfccf21d72c4ac44cd4a7a107

--------------------------------

hlist_nulls_add_head_rcu() and hlist_nulls_for_each_entry() have dedicated
macros for sk.
Signed-off-by: NKuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

b9df2cce

raw: Fix mixed declarations error in raw_icmp_error(). · cb9815a2

由 Kuniyuki Iwashima 提交于 2月 22, 2023

mainline inclusion
from mainline-v6.0-rc1
commit 5da39e31
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ECEK
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5da39e31b1b0eb62b8ed369ad9615da850239e9e

--------------------------------

The trailing semicolon causes a compiler error, so let's remove it.

net/ipv4/raw.c: In function ‘raw_icmp_error’:
net/ipv4/raw.c:266:2: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
  266 |  struct hlist_nulls_head *hlist;
      |  ^~~~~~

Fixes: ba44f818 ("raw: use more conventional iterators")
Signed-off-by: NKuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

cb9815a2

raw: convert raw sockets to RCU · 9cc736ee

由 Eric Dumazet 提交于 2月 22, 2023

mainline inclusion
from mainline-v6.0-rc1
commit 0daf07e5
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ECEK
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0daf07e527095e64ee8927ce297ab626643e9f51

--------------------------------

Using rwlock in networking code is extremely risky.
writers can starve if enough readers are constantly
grabing the rwlock.

I thought rwlock were at fault and sent this patch:

https://lkml.org/lkml/2022/6/17/272

But Peter and Linus essentially told me rwlock had to be unfair.

We need to get rid of rwlock in networking code.

Without this fix, following script triggers soft lockups:

for i in {1..48}
do
 ping -f -n -q 127.0.0.1 &
 sleep 0.1
done

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: NEric Dumazet <edumazet@google.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Conflicts:
	net/ipv4/raw.c
	net/ipv6/af_inet6.c
Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

9cc736ee

raw: use more conventional iterators · b3b1305c

由 Eric Dumazet 提交于 2月 22, 2023

mainline inclusion
from mainline-v6.0-rc1
commit ba44f818
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ECEK
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ba44f8182ec299c5d1c8a72fc0fde4ec127b5a6d

--------------------------------

In order to prepare the following patch,
I change raw v4 & v6 code to use more conventional
iterators.
Signed-off-by: NEric Dumazet <edumazet@google.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

b3b1305c

cifs: Fix use-after-free in rdata->read_into_pages() · 46a03096

由 ZhaoLong Wang 提交于 2月 22, 2023

mainline inclusion
from mainline-v6.2-rc8
commit aa5465ae
category: bugfix
bugzilla: 188381, https://gitee.com/openeuler/kernel/issues/I644ST
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aa5465aeca3c66fecdf7efcf554aed79b4c4b211

------------------------------------------------------

When the network status is unstable, use-after-free may occur when
read data from the server.

  BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0

  Call Trace:
   <TASK>
   dump_stack_lvl+0x38/0x4c
   print_report+0x16f/0x4a6
   kasan_report+0xb7/0x130
   readpages_fill_pages+0x14c/0x7e0
   cifs_readv_receive+0x46d/0xa40
   cifs_demultiplex_thread+0x121c/0x1490
   kthread+0x16b/0x1a0
   ret_from_fork+0x2c/0x50
   </TASK>

  Allocated by task 2535:
   kasan_save_stack+0x22/0x50
   kasan_set_track+0x25/0x30
   __kasan_kmalloc+0x82/0x90
   cifs_readdata_direct_alloc+0x2c/0x110
   cifs_readdata_alloc+0x2d/0x60
   cifs_readahead+0x393/0xfe0
   read_pages+0x12f/0x470
   page_cache_ra_unbounded+0x1b1/0x240
   filemap_get_pages+0x1c8/0x9a0
   filemap_read+0x1c0/0x540
   cifs_strict_readv+0x21b/0x240
   vfs_read+0x395/0x4b0
   ksys_read+0xb8/0x150
   do_syscall_64+0x3f/0x90
   entry_SYSCALL_64_after_hwframe+0x72/0xdc

  Freed by task 79:
   kasan_save_stack+0x22/0x50
   kasan_set_track+0x25/0x30
   kasan_save_free_info+0x2e/0x50
   __kasan_slab_free+0x10e/0x1a0
   __kmem_cache_free+0x7a/0x1a0
   cifs_readdata_release+0x49/0x60
   process_one_work+0x46c/0x760
   worker_thread+0x2a4/0x6f0
   kthread+0x16b/0x1a0
   ret_from_fork+0x2c/0x50

  Last potentially related work creation:
   kasan_save_stack+0x22/0x50
   __kasan_record_aux_stack+0x95/0xb0
   insert_work+0x2b/0x130
   __queue_work+0x1fe/0x660
   queue_work_on+0x4b/0x60
   smb2_readv_callback+0x396/0x800
   cifs_abort_connection+0x474/0x6a0
   cifs_reconnect+0x5cb/0xa50
   cifs_readv_from_socket.cold+0x22/0x6c
   cifs_read_page_from_socket+0xc1/0x100
   readpages_fill_pages.cold+0x2f/0x46
   cifs_readv_receive+0x46d/0xa40
   cifs_demultiplex_thread+0x121c/0x1490
   kthread+0x16b/0x1a0
   ret_from_fork+0x2c/0x50

The following function calls will cause UAF of the rdata pointer.

readpages_fill_pages
 cifs_read_page_from_socket
  cifs_readv_from_socket
   cifs_reconnect
    __cifs_reconnect
     cifs_abort_connection
      mid->callback() --> smb2_readv_callback
       queue_work(&rdata->work)  # if the worker completes first,
                                 # the rdata is freed
          cifs_readv_complete
            kref_put
              cifs_readdata_release
                kfree(rdata)
 return rdata->...               # UAF in readpages_fill_pages()

Similarly, this problem also occurs in the uncache_fill_pages().

Fix this by adjusts the order of condition judgment in the return
statement.
Signed-off-by: NZhaoLong Wang <wangzhaolong1@huawei.com>
Cc: stable@vger.kernel.org
Acked-by: NPaulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: NSteve French <stfrench@microsoft.com>
Reviewed-by: NZhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

46a03096

net: bridge: mcast: add and enforce query interval minimum · bd51350f

由 Nikolay Aleksandrov 提交于 2月 22, 2023

mainline inclusion
from mainline-v5.16-rc8
commit 99b40610
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6DKZJ
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=99b40610956a8a8755653a67392e2a8b772453be

--------------------------------

As reported[1] if query interval is set too low and we have multiple
bridges or even a single bridge with multiple querier vlans configured
we can crash the machine. Add a 1 second minimum which must be enforced
by overwriting the value if set lower (i.e. without returning an error) to
avoid breaking user-space. If that happens a log message is emitted to let
the administrator know that the interval has been set to the minimum.
The issue has been present since these intervals could be user-controlled.

[1] https://lore.kernel.org/netdev/e8b9ce41-57b9-b6e2-a46a-ff9c791cf0ba@gmail.com/

Fixes: d902eee4 ("bridge: Add multicast count/interval sysfs entries")
Reported-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NNikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: NJakub Kicinski <kuba@kernel.org>

Conflicts:
	net/bridge/br_multicast.c
	net/bridge/br_netlink.c
	net/bridge/br_private.h
	net/bridge/br_sysfs_br.c
Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

bd51350f

net: bridge: mcast: add and enforce startup query interval minimum · f5014d90

由 Nikolay Aleksandrov 提交于 2月 22, 2023

mainline inclusion
from mainline-v5.16-rc8
commit f83a112b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6DKZJ
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f83a112bd91a494cdee671aec74e777470fb4a07

--------------------------------

As reported[1] if startup query interval is set too low in combination with
large number of startup queries and we have multiple bridges or even a
single bridge with multiple querier vlans configured we can crash the
machine. Add a 1 second minimum which must be enforced by overwriting the
value if set lower (i.e. without returning an error) to avoid breaking
user-space. If that happens a log message is emitted to let the admin know
that the startup interval has been set to the minimum. It doesn't make
sense to make the startup interval lower than the normal query interval
so use the same value of 1 second. The issue has been present since these
intervals could be user-controlled.

[1] https://lore.kernel.org/netdev/e8b9ce41-57b9-b6e2-a46a-ff9c791cf0ba@gmail.com/

Fixes: d902eee4 ("bridge: Add multicast count/interval sysfs entries")
Reported-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NNikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: NJakub Kicinski <kuba@kernel.org>

Conflicts:
	net/bridge/br_multicast.c
	net/bridge/br_netlink.c
	net/bridge/br_private.h
	net/bridge/br_sysfs_br.c
Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

f5014d90

media: vivid: fix compose size exceed boundary · 4d9fad5e

由 Liu Shixin 提交于 2月 22, 2023

stable inclusion
from stable-v5.10.163
commit f9d19f3a044ca651b0be52a4bf951ffe74259b9f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6CIF8
CVE: CVE-2023-0615

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f9d19f3a044ca651b0be52a4bf951ffe74259b9f

--------------------------------

[ Upstream commit 94a7ad92 ]

syzkaller found a bug:

 BUG: unable to handle page fault for address: ffffc9000a3b1000
 #PF: supervisor write access in kernel mode
 #PF: error_code(0x0002) - not-present page
 PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0
 Oops: 0002 [#1] PREEMPT SMP
 CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
 RIP: 0010:memcpy_erms+0x6/0x10
[...]
 Call Trace:
  <TASK>
  ? tpg_fill_plane_buffer+0x856/0x15b0
  vivid_fillbuff+0x8ac/0x1110
  vivid_thread_vid_cap_tick+0x361/0xc90
  vivid_thread_vid_cap+0x21a/0x3a0
  kthread+0x143/0x180
  ret_from_fork+0x1f/0x30
  </TASK>

This is because we forget to check boundary after adjust compose->height
int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem
for this case.

Fixes: ef834f78 ("[media] vivid: add the video capture and output parts")
Signed-off-by: NLiu Shixin <liushixin2@huawei.com>
Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NWang Hai <wanghai38@huawei.com>
Signed-off-by: NLonglong Xia <xialonglong1@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

4d9fad5e

!411 intel: backport isst issue fix and other update to align with upstream 6.0 · 570b6bca

由 openeuler-ci-bot 提交于 2月 25, 2023

Merge Pull Request from: @jiayingbao

there is write cpu power error reported in recent test and the issue found fix patch platform-x86-ISST-Allow-configurable-offset-range needed.
and there is other important fix on platform-x86-ISST-PUNIT-device-mapping-with-Sub-NUMA.
so with this PR, it will align isst driver with upstream 6.0.
update: add one more fix d36d4a1d

Link:https://gitee.com/openeuler/kernel/pulls/411

Reviewed-by: Jason Zeng <jason.zeng@intel.com>
Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

570b6bca

23 2月, 2023 10 次提交

!401 Accelerator Live Migration Bugfix · c75d4a85

由 openeuler-ci-bot 提交于 2月 23, 2023

Merge Pull Request from: @xiao_jiang_shui 
 
When using the old PCI_FUNC method to obtain the vf id, if the number
of vf big than 8, the obtained id number will be wrong, and the new
method needs to be used to correct it.

issues：https://gitee.com/openeuler/kernel/issues/I6F3ZE 
 
Link:https://gitee.com/openeuler/kernel/pulls/401 

Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

c75d4a85

platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering · a6c6598d

由 Srinivas Pandruvada 提交于 6月 29, 2022

mainline inclusion
from mainline-6.0
commit 9a1aac8a
category: bugfix
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I6FY06
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9a1aac8a96dc014bec49806a7a964bf2fdbd315f

Intel-SIG: commit 9a1aac8a platform/x86: ISST: PUNIT device mapping
with Sub-NUMA clustering.
Backport for intel SST feature sub-NUMA bug fix

-------------------------------------------------

On a multiple package system using Sub-NUMA clustering, there is an issue
in mapping Linux CPU number to PUNIT PCI device when manufacturer decided
to reuse the PCI bus number across packages. Bus number can be reused as
long as they are in different domain or segment. In this case some CPU
will fail to find a PCI device to issue SST requests.

When bus numbers are reused across CPU packages, we are using proximity
information by matching CPU numa node id to PUNIT PCI device numa node
id. But on a package there can be only one PUNIT PCI device, but multiple
numa nodes (one for each sub cluster). So, the numa node ID of the PUNIT
PCI device can only match with one numa node id of CPUs in a sub cluster
in the package.

Since there can be only one PUNIT PCI device per package, if we match
with numa node id of any sub cluster in that package, we can use that
mapping for any CPU in that package. So, store the match information
in a per package data structure and return the information when there
is no match.

While here, use defines for max bus number instead of hardcoding.
Signed-off-by: NSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://lore.kernel.org/r/20220629194817.2418240-1-srinivas.pandruvada@linux.intel.comReviewed-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nyingbao jia <yingbao.jia@intel.com>

a6c6598d

platform/x86: ISST: use semi-colons instead of commas · 1a78ebaa

由 Dan Carpenter 提交于 8月 25, 2021

mainline inclusion
from mainline-5.15
commit 55879dc4
category: bugfix
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I6FY06
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=55879dc4d095232609fe81498c1b43f042708eef

Intel-SIG: commit 55879dc4 platform/x86: ISST: use semi-colons
instead of commas.
Backport SST missed patch for 5.10.

-------------------------------------------------
The code works the same either way, but it's better to use semi-colons
to separate statements.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20210825072357.GA12957@kiliSigned-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nyingbao jia <yingbao.jia@intel.com>

1a78ebaa

platform/x86: ISST: Mark mmio_range_devid_0 and mmio_range_devid_1 with static keyword · 3b366d0f

由 Zou Wei 提交于 12月 08, 2020

commit 0cd3f561 upstream.
mainline inclusion
from mainline-5.11
commit 0cd3f561
category: bugfix
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I6FY06
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cd3f561efa9adce840140720e0581355db3e554

Intel-SIG: commit 0cd3f561 platform/x86: ISST: Mark mmio_range_devid_0
and mmio_range_devid_1 with static keyword.
Backport SST missed patch for 5.10.

-------------------------------------------------

Fix the following sparse warnings:

drivers/platform/x86/intel_speed_select_if/isst_if_mmio.c:23:24: warning: symbol 'mmio_range_devid_0' was not declared. Should it be static?
drivers/platform/x86/intel_speed_select_if/isst_if_mmio.c:28:24: warning: symbol 'mmio_range_devid_1' was not declared. Should it be static?
Signed-off-by: NZou Wei <zou_wei@huawei.com>
Link: https://lore.kernel.org/r/1607430489-116200-1-git-send-email-zou_wei@huawei.comSigned-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nyingbao jia <yingbao.jia@intel.com>

3b366d0f

platform/x86: ISST: Change PCI device macros · d007086b

由 Srinivas Pandruvada 提交于 12月 03, 2020

mainline inclusion
from mainline-5.11
commit 7c88ab57
category: bugfix
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I6FY06
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c88ab5715a265d5dde06e4e1b0dd4370d911372

Intel-SIG: commit 7c88ab57 platform/x86: ISST: Change PCI device macros.
Backport SST missed patch for 5.10.

-------------------------------------------------

Use PCI_VDEVICE and PCI_DEVICE_DATA macros. No functional changes are
expected.
Signed-off-by: NSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://lore.kernel.org/r/20201204015746.1168941-3-srinivas.pandruvada@linux.intel.comSigned-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nyingbao jia <yingbao.jia@intel.com>

d007086b

platform/x86: ISST: Allow configurable offset range · 0ce2ac43

由 Srinivas Pandruvada 提交于 12月 03, 2020

mainline inclusion
from mainline-5.11
commit 761f0ee0
category: bugfix
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I6FY06
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=761f0ee0e84b4c18535c6d17890ccc9f5c617e8d

Intel-SIG: commit 761f0ee0 platform/x86: ISST: Allow configurable
offset range.
Backport SST missed patch for 5.10.

-------------------------------------------------

The mmio offset range can be different based on the PCI device id. Here
for INTEL_RAPL_PRIO_DEVID_1, the range is increased from 45 to 64. Pass
the range as the driver_data. Also account for different ranges during
save/restore via suspend/resume callbacks.
Signed-off-by: NSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://lore.kernel.org/r/20201204015746.1168941-2-srinivas.pandruvada@linux.intel.comSigned-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nyingbao jia <yingbao.jia@intel.com>

0ce2ac43

platform/x86: ISST: Check for unaligned mmio address · 70f6404e

由 Srinivas Pandruvada 提交于 12月 03, 2020

mainline inclusion
from mainline-5.11
commit a552f204
category: bugfix
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I6FY06
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a552f204b050b213b1e41a5134a0d2726c9a2ec1

Intel-SIG: commit a552f204 platform/x86: ISST: Check for unaligned
mmio address.
Backport SST missed patch for 5.10.

-------------------------------------------------

The address should be aligned to 4 byte boundary. So send an error for
unaligned address.
Signed-off-by: NSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://lore.kernel.org/r/20201204015746.1168941-1-srinivas.pandruvada@linux.intel.comSigned-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nyingbao jia <yingbao.jia@intel.com>

70f6404e

platform/x86: ISST: Fix optimization with use of numa · a287c1fa

由 Srinivas Pandruvada 提交于 7月 27, 2021

mainline inclusion
from mainline-5.15
commit d36d4a1d
category: bugfix
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I6FY06
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d36d4a1d75d2a8bd14ec00d5cb0ce166f6886146

Intel-SIG: commit d36d4a1d platform/x86: ISST: Fix optimization with use of numa.
Backport for ISST driver fix

-------------------------------------------------

When numa is used to map CPU to PCI device, the optimized path to read
from cached data is not working and still calls _isst_if_get_pci_dev().

The reason is that when caching the mapping, numa information is not
available as it is read later. So move the assignment of
isst_cpu_info[cpu].numa_node before calling _isst_if_get_pci_dev().

Fixes: aa2ddd24 ("platform/x86: ISST: Use numa node id for cpu pci dev mapping")
Signed-off-by: NSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://lore.kernel.org/r/20210727165052.427238-1-srinivas.pandruvada@linux.intel.comSigned-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nyingbao jia <yingbao.jia@intel.com>

a287c1fa

platform/x86: ISST: Use numa node id for cpu pci dev mapping · 709b93da

由 Srinivas Pandruvada 提交于 6月 16, 2021

mainline inclusion
from mainline-5.14
commit aa2ddd24
category: bugfix
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I6FY06
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aa2ddd24257213bdfd2f65058531810ac57455dc

Intel-SIG: commit aa2ddd24 platform/x86: ISST: Use numa node id
for cpu pci dev mapping.
Backport for ISST Optimize PCI device mapping

-------------------------------------------------

There is a problem in mapping CPU to a PCI device instance when the
bus numbers are reused in different packages. This was observed on
some Sapphire Rapids systems.

The current implementation reads bus number assigned to a CPU package
via MSR 0x128. This allows to establish relationship between a CPU
and a PCI device. This allows to update power related parameters to a
MMIO offset in a PCI device space which is unique to a CPU. But if
two packages uses same bus number then this mapping will not be unique.

When bus number is reused, PCI device will use different domain number
or segment number. So we need to be aware of this domain information
while matching CPU to PCI bus number. This domain information is not
available via any MSR. So need to use ACPI numa node information.

There is an interface already available in the Linux to read numa
node for a CPU and a PCI device. This change uses this interface
to check the numa node of a match PCI device with bus number.
If the bus number and numa node matches with the CPU's assigned
bus number and numa node, the matched PCI device instance will be
returned to the caller.

It is possible that before Sapphire Rapids, the numa node is not
defined for the Speed Select PCI device in some OEM systems. In this
case to restore old behavior, return the last matched PCI device
for domain 0 unlsess there are more than one matches.
Signed-off-by: NSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://lore.kernel.org/r/20210616221329.1909276-2-srinivas.pandruvada@linux.intel.comReviewed-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nyingbao jia <yingbao.jia@intel.com>

709b93da

platform/x86: ISST: Optimize CPU to PCI device mapping · da78cf63

由 Srinivas Pandruvada 提交于 6月 16, 2021

mainline inclusion
from mainline-5.14
commit 1e42de8e
category: bugfix
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I6FY06
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1e42de8e53d32bbd7a732df49d872a30b4f888b4

Intel-SIG: commit 1e42de8e platform/x86: ISST: Optimize CPU to PCI
device mapping.
Backport for ISST Optimize PCI device mapping

-------------------------------------------------

It was observed that some of the high performance benchmarks are spending
more time in kernel depending on which CPU package they are executing.
The difference is significant and benchmark scores varies more than 10%.
These benchmarks adjust class of service to improve thread performance
which run in parallel. This class of service change causes access to
MMIO region of Intel Speed Select PCI devices depending on the CPU
package they are executing.

This mapping from CPU to PCI device instance uses a standard Linux PCI
interface "pci_get_domain_bus_and_slot()". This function does a linear
search to get to a PCI device. Since these platforms have 100+ PCI
devices, this search can be expensive in fast path for benchmarks.

Since the device and function of PCI device is fixed for Intel
Speed Select PCI devices, the CPU to PCI device information can be cached
at the same time when bus number for the CPU is read. In this way during
runtime the cached information can be used. This improves performance
of these benchmarks significantly.
Signed-off-by: NSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://lore.kernel.org/r/20210616221329.1909276-1-srinivas.pandruvada@linux.intel.comReviewed-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nyingbao jia <yingbao.jia@intel.com>

da78cf63

17 2月, 2023 15 次提交

!406 [sync] PR-399: Backport fs, block and net bugfixes · 72458d2c

由 openeuler-ci-bot 提交于 2月 17, 2023

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/399 
 
Pull fs bugfixes from Zhihao Cheng and ZhaoLong Wang
block bugfix from Yu Kuai
net bugfixes from Liu Jian 
 
Link:https://gitee.com/openeuler/kernel/pulls/406 

Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

72458d2c

!407 Backport 5.10.145 - 5.10.149 LTS · 57494e92

由 openeuler-ci-bot 提交于 2月 17, 2023

Merge Pull Request from: @zhangjialin11 
 
Backport 5.10.145 LTS patches from upstream.

Conflicts:

Already merged(3):
9f267393b036 cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()
06e194e1130c video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write
e00582a36198 video: fbdev: i740fb: Error out if 'pixclock' equals zero

Context conflict(1):
f63ddf62d0c8 tools/include/uapi: Fix <asm/errno.h> for parisc and xtensa

Total patches: 39 - 3 = 36

Backport 5.10.146 LTS patches from upstream.

Conflicts:

Already merged(7):
958b0ee23f5a ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0
ab4a733874ea ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
5d75fef3e61e netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()
9a5d7e0acb41 netfilter: nf_conntrack_irc: Tighten matching on DCC message
e811a534ec2f xfs: fix up non-directory creation in SGID directories
a60babeb60ff KVM: SEV: add cache flush to solve SEV cache incoherency issues
3a26651a7856 USB: core: Fix RST error in hub.c

Context conflict(1):
abb560abdf47 vfio/type1: Prepare for batched pinning with struct vfio_batch

Total patches: 138 - 7 = 131

Backport 5.10.147 LTS patches from upstream.

Conflicts:

Already merged(1):
cce5dc03338e scsi: hisi_sas: Revert "scsi: hisi_sas: Limit max hw sectors for v3 HW"

Total patches: 51 - 1 = 50

Backport 5.10.148 LTS patches from upstream.

Conflicts:

Already merged(11):
58c0306d0bcd wifi: mac80211: fix crash in beacon protection for P2P-device
b0e5c5deb788 wifi: cfg80211: avoid nontransmitted BSS list corruption
6b9448450313 wifi: cfg80211: fix BSS refcounting bugs
a6408e0b694c wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()
36b33c63515a scsi: stex: Properly zero out the passthrough command structure
1b257f97fec4 usb: mon: make mmapped memory read only
1e555c3ed1fc fs: fix UAF/GPF bug in nilfs_mdt_destroy
fce793a056c6 ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
aad4c997857f nilfs2: fix leak of nilfs_root in case of writer thread creation failure
21ee3cffed8f nilfs2: fix use-after-free bug of struct nilfs_root
3f840480e314 nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()

Total patches: 54 - 11 = 43

Backport 5.10.149 LTS patches from upstream.

Conflicts:

Already merged(1):
31ce5da48a84 wifi: mac80211: fix MBSSID parsing use-after-free

Total patches: 4 - 1 = 3

Summary: 36 + 131 + 50 + 43 + 3 = 263 
 
Link:https://gitee.com/openeuler/kernel/pulls/407 

Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

57494e92

wifi: mac80211: don't parse mbssid in assoc response · e6e4784b

由 Johannes Berg 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.149
commit 353b5c8d4bea712774ccc631782ed8cc3630528a
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WY

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=353b5c8d4bea712774ccc631782ed8cc3630528a

--------------------------------

This is simply not valid and simplifies the next commit.
I'll make a separate patch for this in the current main
tree as well.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

e6e4784b

mac80211: mlme: find auth challenge directly · f2de1cb6

由 Johannes Berg 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.149
commit 66dacdbc2e830e1187bf0f1171ca257d816ab7e3
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WY

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=66dacdbc2e830e1187bf0f1171ca257d816ab7e3

--------------------------------

There's no need to parse all elements etc. just to find the
authentication challenge - use cfg80211_find_elem() instead.
This also allows us to remove WLAN_EID_CHALLENGE handling
from the element parsing entirely.

Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

f2de1cb6

Revert "fs: check FMODE_LSEEK to control internal pipe splicing" · 4b95c2cf

由 Sasha Levin 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.149
commit a07708a843558658de1cdff63ae653e6dcb8c81a
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WY

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a07708a843558658de1cdff63ae653e6dcb8c81a

--------------------------------

This reverts commit fd0a6e99b61e6c08fa5cf585d54fd956f70c73a6.

Which was upstream commit 97ef77c5.

The commit is missing dependencies and breaks NFS tests, remove it for
now.
Reported-by: NSaeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

4b95c2cf

misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic · f29a3627

由 Shunsuke Mie 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.148
commit 0df206bdc6204b758585bbe159a55e23e7917b13
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WL

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0df206bdc6204b758585bbe159a55e23e7917b13

--------------------------------

commit 8e30538e upstream.

The dma_map_single() doesn't permit zero length mapping. It causes a follow
panic.

A panic was reported on arm64:

[   60.137988] ------------[ cut here ]------------
[   60.142630] kernel BUG at kernel/dma/swiotlb.c:624!
[   60.147508] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[   60.152992] Modules linked in: dw_hdmi_cec crct10dif_ce simple_bridge rcar_fdp1 vsp1 rcar_vin videobuf2_vmalloc rcar_csi2 v4l
2_mem2mem videobuf2_dma_contig videobuf2_memops pci_endpoint_test videobuf2_v4l2 videobuf2_common rcar_fcp v4l2_fwnode v4l2_asyn
c videodev mc gpio_bd9571mwv max9611 pwm_rcar ccree at24 authenc libdes phy_rcar_gen3_usb3 usb_dmac display_connector pwm_bl
[   60.186252] CPU: 0 PID: 508 Comm: pcitest Not tainted 6.0.0-rc1rpci-dev+ #237
[   60.193387] Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT)
[   60.201302] pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   60.208263] pc : swiotlb_tbl_map_single+0x2c0/0x590
[   60.213149] lr : swiotlb_map+0x88/0x1f0
[   60.216982] sp : ffff80000a883bc0
[   60.220292] x29: ffff80000a883bc0 x28: 0000000000000000 x27: 0000000000000000
[   60.227430] x26: 0000000000000000 x25: ffff0004c0da20d0 x24: ffff80000a1f77c0
[   60.234567] x23: 0000000000000002 x22: 0001000040000010 x21: 000000007a000000
[   60.241703] x20: 0000000000200000 x19: 0000000000000000 x18: 0000000000000000
[   60.248840] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0006ff7b9180
[   60.255977] x14: ffff0006ff7b9180 x13: 0000000000000000 x12: 0000000000000000
[   60.263113] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
[   60.270249] x8 : 0001000000000010 x7 : ffff0004c6754b20 x6 : 0000000000000000
[   60.277385] x5 : ffff0004c0da2090 x4 : 0000000000000000 x3 : 0000000000000001
[   60.284521] x2 : 0000000040000000 x1 : 0000000000000000 x0 : 0000000040000010
[   60.291658] Call trace:
[   60.294100]  swiotlb_tbl_map_single+0x2c0/0x590
[   60.298629]  swiotlb_map+0x88/0x1f0
[   60.302115]  dma_map_page_attrs+0x188/0x230
[   60.306299]  pci_endpoint_test_ioctl+0x5e4/0xd90 [pci_endpoint_test]
[   60.312660]  __arm64_sys_ioctl+0xa8/0xf0
[   60.316583]  invoke_syscall+0x44/0x108
[   60.320334]  el0_svc_common.constprop.0+0xcc/0xf0
[   60.325038]  do_el0_svc+0x2c/0xb8
[   60.328351]  el0_svc+0x2c/0x88
[   60.331406]  el0t_64_sync_handler+0xb8/0xc0
[   60.335587]  el0t_64_sync+0x18c/0x190
[   60.339251] Code: 52800013 d2e00414 35fff45c d503201f (d4210000)
[   60.345344] ---[ end trace 0000000000000000 ]---

To fix it, this patch adds a checking the payload length if it is zero.

Fixes: 343dc693 ("misc: pci_endpoint_test: Prevent some integer overflows")
Cc: stable <stable@kernel.org>
Signed-off-by: NShunsuke Mie <mie@igel.co.jp>
Link: https://lore.kernel.org/r/20220907020100.122588-2-mie@igel.co.jpSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

f29a3627

misc: pci_endpoint_test: Aggregate params checking for xfer · 1cedc186

由 Shunsuke Mie 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.148
commit 40a29e58f6394963829bb1a26ff3bc9ef6c3aae5
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WL

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=40a29e58f6394963829bb1a26ff3bc9ef6c3aae5

--------------------------------

commit 3e42deaa upstream.

Each transfer test functions have same parameter checking code. This patch
unites those to an introduced function.
Signed-off-by: NShunsuke Mie <mie@igel.co.jp>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20220907020100.122588-1-mie@igel.co.jpSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

1cedc186

Input: xpad - fix wireless 360 controller breaking after suspend · d7d926cd

由 Cameron Gutman 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.148
commit 9c13b1a044c96315a87f3b5bd6d8d2cd1796bce8
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WL

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9c13b1a044c96315a87f3b5bd6d8d2cd1796bce8

--------------------------------

commit a17b9841 upstream.

Suspending and resuming the system can sometimes cause the out
URB to get hung after a reset_resume. This causes LED setting
and force feedback to break on resume. To avoid this, just drop
the reset_resume callback so the USB core rebinds xpad to the
wireless pads on resume if a reset happened.

A nice side effect of this change is the LED ring on wireless
controllers is now set correctly on system resume.

Cc: stable@vger.kernel.org
Fixes: 4220f7db ("Input: xpad - workaround dead irq_out after suspend/ resume")
Signed-off-by: NCameron Gutman <aicommander@gmail.com>
Signed-off-by: NPavel Rojtberg <rojtberg@gmail.com>
Link: https://lore.kernel.org/r/20220818154411.510308-3-rojtberg@gmail.comSigned-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

d7d926cd

Input: xpad - add supported devices as contributed on github · bff5c201

由 Pavel Rojtberg 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.148
commit 19dba9c3b5a3f4a648d4fb5a24f821e201f573e5
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WL

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=19dba9c3b5a3f4a648d4fb5a24f821e201f573e5

--------------------------------

commit b382c5e3 upstream.

This is based on multiple commits at https://github.com/paroj/xpad

Cc: stable@vger.kernel.org
Signed-off-by: NJasper Poppe <jgpoppe@gmail.com>
Signed-off-by: NJeremy Palmer <jpalmer@linz.govt.nz>
Signed-off-by: NRuineka <ruinairas1992@gmail.com>
Signed-off-by: NCleber de Mattos Casali <clebercasali@gmail.com>
Signed-off-by: NKyle Gospodnetich <me@kylegospodneti.ch>
Signed-off-by: NPavel Rojtberg <rojtberg@gmail.com>
Link: https://lore.kernel.org/r/20220818154411.510308-2-rojtberg@gmail.comSigned-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

bff5c201

wifi: cfg80211: update hidden BSSes to avoid WARN_ON · 734036d1

由 Johannes Berg 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.148
commit b2b9386667e613d449f38d37517e67b667063283
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WL

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b2b9386667e613d449f38d37517e67b667063283

--------------------------------

commit c90b93b5 upstream.

When updating beacon elements in a non-transmitted BSS,
also update the hidden sub-entries to the same beacon
elements, so that a future update through other paths
won't trigger a WARN_ON().

The warning is triggered because the beacon elements in
the hidden BSSes that are children of the BSS should
always be the same as in the parent.
Reported-by: NSönke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: NSönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

734036d1

wifi: mac80211_hwsim: avoid mac80211 warning on bad rate · 228980bb

由 Johannes Berg 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.148
commit 3539e75abe3c9e5acc0b40b06773bc5aac0e358e
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WL

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3539e75abe3c9e5acc0b40b06773bc5aac0e358e

--------------------------------

commit 1833b6f4 upstream.

If the tool on the other side (e.g. wmediumd) gets confused
about the rate, we hit a warning in mac80211. Silence that
by effectively duplicating the check here and dropping the
frame silently (in mac80211 it's dropped with the warning).
Reported-by: NSönke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: NSönke Huster <shuster@seemoo.tu-darmstadt.de>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

228980bb

wifi: cfg80211: ensure length byte is present before access · c4863491

由 Johannes Berg 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.148
commit 6144c97f96f5cc3ede984b224fdf8dde658cfcad
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WL

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6144c97f96f5cc3ede984b224fdf8dde658cfcad

--------------------------------

commit 567e14e3 upstream.

When iterating the elements here, ensure the length byte is
present before checking it to see if the entire element will
fit into the buffer.

Longer term, we should rewrite this code using the type-safe
element iteration macros that check all of this.

Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Reported-by: NSoenke Huster <shuster@seemoo.tu-darmstadt.de>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

c4863491

wifi: cfg80211/mac80211: reject bad MBSSID elements · e12ee596

由 Johannes Berg 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.148
commit e7aa7fd10eba32835de3dfa7f1691a90043faa73
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WL

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e7aa7fd10eba32835de3dfa7f1691a90043faa73

--------------------------------

commit 8f033d2b upstream.

Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
and the minimum is 1 since a multiple BSSID set with just one BSSID
doesn't make sense (the # of BSSIDs is limited by 2^n).

Limit this in the parsing in both cfg80211 and mac80211, rejecting
any elements with an invalid value.

This fixes potentially bad shifts in the processing of these inside
the cfg80211_gen_new_bssid() function later.

I found this during the investigation of CVE-2022-41674 fixed by the
previous patch.

Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Fixes: 78ac51f8 ("mac80211: support multi-bssid")
Reviewed-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

e12ee596

random: use expired timer rather than wq for mixing fast pool · 5ae177ab

由 Jason A. Donenfeld 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.148
commit b0c37581be9ad4c8b249850e4f1ca1900a5a4e1e
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WL

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b0c37581be9ad4c8b249850e4f1ca1900a5a4e1e

--------------------------------

commit 748bc4dd upstream.

Previously, the fast pool was dumped into the main pool periodically in
the fast pool's hard IRQ handler. This worked fine and there weren't
problems with it, until RT came around. Since RT converts spinlocks into
sleeping locks, problems cropped up. Rather than switching to raw
spinlocks, the RT developers preferred we make the transformation from
originally doing:

    do_some_stuff()
    spin_lock()
    do_some_other_stuff()
    spin_unlock()

to doing:

    do_some_stuff()
    queue_work_on(some_other_stuff_worker)

This is an ordinary pattern done all over the kernel. However, Sherry
noticed a 10% performance regression in qperf TCP over a 40gbps
InfiniBand card. Quoting her message:

> MT27500 Family [ConnectX-3] cards:
> Infiniband device 'mlx4_0' port 1 status:
> default gid: fe80:0000:0000:0000:0010:e000:0178:9eb1
> base lid: 0x6
> sm lid: 0x1
> state: 4: ACTIVE
> phys state: 5: LinkUp
> rate: 40 Gb/sec (4X QDR)
> link_layer: InfiniBand
>
> Cards are configured with IP addresses on private subnet for IPoIB
> performance testing.
> Regression identified in this bug is in TCP latency in this stack as reported
> by qperf tcp_lat metric:
>
> We have one system listen as a qperf server:
> [root@yourQperfServer ~]# qperf
>
> Have the other system connect to qperf server as a client (in this
> case, it’s X7 server with Mellanox card):
> [root@yourQperfClient ~]# numactl -m0 -N0 qperf 20.20.20.101 -v -uu -ub --time 60 --wait_server 20 -oo msg_size:4K:1024K:*2 tcp_lat

Rather than incur the scheduling latency from queue_work_on, we can
instead switch to running on the next timer tick, on the same core. This
also batches things a bit more -- once per jiffy -- which is okay now
that mix_interrupt_randomness() can credit multiple bits at once.
Reported-by: NSherry Yang <sherry.yang@oracle.com>
Tested-by: NPaul Webb <paul.x.webb@oracle.com>
Cc: Sherry Yang <sherry.yang@oracle.com>
Cc: Phillip Goerl <phillip.goerl@oracle.com>
Cc: Jack Vogel <jack.vogel@oracle.com>
Cc: Nicky Veitch <nicky.veitch@oracle.com>
Cc: Colm Harrington <colm.harrington@oracle.com>
Cc: Ramanan Govindarajan <ramanan.govindarajan@oracle.com>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: Tejun Heo <tj@kernel.org>
Cc: Sultan Alsawaf <sultan@kerneltoast.com>
Cc: stable@vger.kernel.org
Fixes: 58340f8e ("random: defer fast pool mixing to worker")
Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

5ae177ab

random: avoid reading two cache lines on irq randomness · e43478c1

由 Jason A. Donenfeld 提交于 2月 15, 2023

stable inclusion
from stable-v5.10.148
commit c1a4423fd30f6ff4289be19786c9e76b5ac104a6
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0WL

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c1a4423fd30f6ff4289be19786c9e76b5ac104a6

--------------------------------

commit 9ee0507e upstream.

In order to avoid reading and dirtying two cache lines on every IRQ,
move the work_struct to the bottom of the fast_pool struct. add_
interrupt_randomness() always touches .pool and .count, which are
currently split, because .mix pushes everything down. Instead, move .mix
to the bottom, so that .pool and .count are always in the first cache
line, since .mix is only accessed when the pool is full.

Fixes: 58340f8e ("random: defer fast pool mixing to worker")
Reviewed-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NZheng Zengkai <zhengzengkai@huawei.com>

e43478c1

openeuler / Kernel 接近 2 年 前同步成功

openeuler / Kernel
接近 2 年前同步成功