diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-29 14:43:39 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-29 14:43:39 +0200 |
commit | 6a125161a36c412bdab5c89519b99c735a27c24b (patch) | |
tree | 060cac4954a0fe6a44ff54b1b797704795b78b49 | |
parent | 5b9893b84efd2e19327429a969f5ae50dc311095 (diff) | |
download | stable-queue-6a125161a36c412bdab5c89519b99c735a27c24b.tar.gz |
6.8-stable patches
added patches:
ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch
fbdev-fix-incorrect-address-computation-in-deferred-io.patch
firmware-qcom-uefisecapp-fix-memory-related-io-errors-and-crashes.patch
macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch
macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch
mtd-diskonchip-work-around-ubsan-link-failure.patch
mtd-limit-otp-nvmem-cell-parse-to-non-nand-devices.patch
net-b44-set-pause-params-only-when-interface-is-up.patch
net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch
phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch
phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch
stackdepot-respect-__gfp_nolockdep-allocation-flag.patch
udp-preserve-the-connected-status-if-only-udp-cmsg.patch
wifi-nl80211-don-t-free-null-coalescing-rule.patch
15 files changed, 1379 insertions, 0 deletions
diff --git a/queue-6.8/ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch b/queue-6.8/ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch new file mode 100644 index 0000000000..7b6bc94120 --- /dev/null +++ b/queue-6.8/ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch @@ -0,0 +1,78 @@ +From 6e159fd653d7ebf6290358e0330a0cb8a75cf73b Mon Sep 17 00:00:00 2001 +From: Rahul Rameshbabu <rrameshbabu@nvidia.com> +Date: Tue, 23 Apr 2024 11:13:03 -0700 +Subject: ethernet: Add helper for assigning packet type when dest address does not match device address + +From: Rahul Rameshbabu <rrameshbabu@nvidia.com> + +commit 6e159fd653d7ebf6290358e0330a0cb8a75cf73b upstream. + +Enable reuse of logic in eth_type_trans for determining packet type. + +Suggested-by: Sabrina Dubroca <sd@queasysnail.net> +Cc: stable@vger.kernel.org +Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com> +Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> +Link: https://lore.kernel.org/r/20240423181319.115860-3-rrameshbabu@nvidia.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + include/linux/etherdevice.h | 25 +++++++++++++++++++++++++ + net/ethernet/eth.c | 12 +----------- + 2 files changed, 26 insertions(+), 11 deletions(-) + +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -608,6 +608,31 @@ static inline void eth_hw_addr_gen(struc + } + + /** ++ * eth_skb_pkt_type - Assign packet type if destination address does not match ++ * @skb: Assigned a packet type if address does not match @dev address ++ * @dev: Network device used to compare packet address against ++ * ++ * If the destination MAC address of the packet does not match the network ++ * device address, assign an appropriate packet type. ++ */ ++static inline void eth_skb_pkt_type(struct sk_buff *skb, ++ const struct net_device *dev) ++{ ++ const struct ethhdr *eth = eth_hdr(skb); ++ ++ if (unlikely(!ether_addr_equal_64bits(eth->h_dest, dev->dev_addr))) { ++ if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) { ++ if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast)) ++ skb->pkt_type = PACKET_BROADCAST; ++ else ++ skb->pkt_type = PACKET_MULTICAST; ++ } else { ++ skb->pkt_type = PACKET_OTHERHOST; ++ } ++ } ++} ++ ++/** + * eth_skb_pad - Pad buffer to mininum number of octets for Ethernet frame + * @skb: Buffer to pad + * +--- a/net/ethernet/eth.c ++++ b/net/ethernet/eth.c +@@ -164,17 +164,7 @@ __be16 eth_type_trans(struct sk_buff *sk + eth = (struct ethhdr *)skb->data; + skb_pull_inline(skb, ETH_HLEN); + +- if (unlikely(!ether_addr_equal_64bits(eth->h_dest, +- dev->dev_addr))) { +- if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) { +- if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast)) +- skb->pkt_type = PACKET_BROADCAST; +- else +- skb->pkt_type = PACKET_MULTICAST; +- } else { +- skb->pkt_type = PACKET_OTHERHOST; +- } +- } ++ eth_skb_pkt_type(skb, dev); + + /* + * Some variants of DSA tagging don't have an ethertype field diff --git a/queue-6.8/fbdev-fix-incorrect-address-computation-in-deferred-io.patch b/queue-6.8/fbdev-fix-incorrect-address-computation-in-deferred-io.patch new file mode 100644 index 0000000000..a7e0bbf190 --- /dev/null +++ b/queue-6.8/fbdev-fix-incorrect-address-computation-in-deferred-io.patch @@ -0,0 +1,55 @@ +From 78d9161d2bcd442d93d917339297ffa057dbee8c Mon Sep 17 00:00:00 2001 +From: Nam Cao <namcao@linutronix.de> +Date: Tue, 23 Apr 2024 13:50:53 +0200 +Subject: fbdev: fix incorrect address computation in deferred IO + +From: Nam Cao <namcao@linutronix.de> + +commit 78d9161d2bcd442d93d917339297ffa057dbee8c upstream. + +With deferred IO enabled, a page fault happens when data is written to the +framebuffer device. Then driver determines which page is being updated by +calculating the offset of the written virtual address within the virtual +memory area, and uses this offset to get the updated page within the +internal buffer. This page is later copied to hardware (thus the name +"deferred IO"). + +This offset calculation is only correct if the virtual memory area is +mapped to the beginning of the internal buffer. Otherwise this is wrong. +For example, if users do: + mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000); + +Then the virtual memory area will mapped at offset 0xff000 within the +internal buffer. This offset 0xff000 is not accounted for, and wrong page +is updated. + +Correct the calculation by using vmf->pgoff instead. With this change, the +variable "offset" will no longer hold the exact offset value, but it is +rounded down to multiples of PAGE_SIZE. But this is still correct, because +this variable is only used to calculate the page offset. + +Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> +Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@oracle.com +Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct") +Cc: <stable@vger.kernel.org> +Signed-off-by: Nam Cao <namcao@linutronix.de> +Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> +Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> +Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> +Link: https://patchwork.freedesktop.org/patch/msgid/20240423115053.4490-1-namcao@linutronix.de +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/video/fbdev/core/fb_defio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/core/fb_defio.c ++++ b/drivers/video/fbdev/core/fb_defio.c +@@ -196,7 +196,7 @@ err_mutex_unlock: + */ + static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf) + { +- unsigned long offset = vmf->address - vmf->vma->vm_start; ++ unsigned long offset = vmf->pgoff << PAGE_SHIFT; + struct page *page = vmf->page; + + file_update_time(vmf->vma->vm_file); diff --git a/queue-6.8/firmware-qcom-uefisecapp-fix-memory-related-io-errors-and-crashes.patch b/queue-6.8/firmware-qcom-uefisecapp-fix-memory-related-io-errors-and-crashes.patch new file mode 100644 index 0000000000..1756d9f716 --- /dev/null +++ b/queue-6.8/firmware-qcom-uefisecapp-fix-memory-related-io-errors-and-crashes.patch @@ -0,0 +1,522 @@ +From ed09f81eeaa8f9265e1787282cb283f10285c259 Mon Sep 17 00:00:00 2001 +From: Maximilian Luz <luzmaximilian@gmail.com> +Date: Sat, 6 Apr 2024 15:01:09 +0200 +Subject: firmware: qcom: uefisecapp: Fix memory related IO errors and crashes + +From: Maximilian Luz <luzmaximilian@gmail.com> + +commit ed09f81eeaa8f9265e1787282cb283f10285c259 upstream. + +It turns out that while the QSEECOM APP_SEND command has specific fields +for request and response buffers, uefisecapp expects them both to be in +a single memory region. Failure to adhere to this has (so far) resulted +in either no response being written to the response buffer (causing an +EIO to be emitted down the line), the SCM call to fail with EINVAL +(i.e., directly from TZ/firmware), or the device to be hard-reset. + +While this issue can be triggered deterministically, in the current form +it seems to happen rather sporadically (which is why it has gone +unnoticed during earlier testing). This is likely due to the two +kzalloc() calls (for request and response) being directly after each +other. Which means that those likely return consecutive regions most of +the time, especially when not much else is going on in the system. + +Fix this by allocating a single memory region for both request and +response buffers, properly aligning both structs inside it. This +unfortunately also means that the qcom_scm_qseecom_app_send() interface +needs to be restructured, as it should no longer map the DMA regions +separately. Therefore, move the responsibility of DMA allocation (or +mapping) to the caller. + +Fixes: 759e7a2b62eb ("firmware: Add support for Qualcomm UEFI Secure Application") +Cc: stable@vger.kernel.org # 6.7 +Tested-by: Johan Hovold <johan+linaro@kernel.org> +Reviewed-by: Johan Hovold <johan+linaro@kernel.org> +Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com> +Tested-by: Konrad Dybcio <konrad.dybcio@linaro.org> # X13s +Link: https://lore.kernel.org/r/20240406130125.1047436-1-luzmaximilian@gmail.com +Signed-off-by: Bjorn Andersson <andersson@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + .../firmware/qcom/qcom_qseecom_uefisecapp.c | 137 ++++++++++++------ + drivers/firmware/qcom/qcom_scm.c | 37 +---- + include/linux/firmware/qcom/qcom_qseecom.h | 55 ++++++- + include/linux/firmware/qcom/qcom_scm.h | 10 +- + 4 files changed, 153 insertions(+), 86 deletions(-) + +diff --git a/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c b/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c +index 32188f098ef3..bc550ad0dbe0 100644 +--- a/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c ++++ b/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c +@@ -221,6 +221,19 @@ struct qsee_rsp_uefi_query_variable_info { + * alignment of 8 bytes (64 bits) for GUIDs. Our definition of efi_guid_t, + * however, has an alignment of 4 byte (32 bits). So far, this seems to work + * fine here. See also the comment on the typedef of efi_guid_t. ++ * ++ * Note: It looks like uefisecapp is quite picky about how the memory passed to ++ * it is structured and aligned. In particular the request/response setup used ++ * for QSEE_CMD_UEFI_GET_VARIABLE. While qcom_qseecom_app_send(), in theory, ++ * accepts separate buffers/addresses for the request and response parts, in ++ * practice, however, it seems to expect them to be both part of a larger ++ * contiguous block. We initially allocated separate buffers for the request ++ * and response but this caused the QSEE_CMD_UEFI_GET_VARIABLE command to ++ * either not write any response to the response buffer or outright crash the ++ * device. Therefore, we now allocate a single contiguous block of DMA memory ++ * for both and properly align the data using the macros below. In particular, ++ * request and response structs are aligned at 8 byte (via __reqdata_offs()), ++ * following the driver that this has been reverse-engineered from. + */ + #define qcuefi_buf_align_fields(fields...) \ + ({ \ +@@ -244,6 +257,12 @@ struct qsee_rsp_uefi_query_variable_info { + #define __array_offs(type, count, offset) \ + __field_impl(sizeof(type) * (count), __alignof__(type), offset) + ++#define __array_offs_aligned(type, count, align, offset) \ ++ __field_impl(sizeof(type) * (count), align, offset) ++ ++#define __reqdata_offs(size, offset) \ ++ __array_offs_aligned(u8, size, 8, offset) ++ + #define __array(type, count) __array_offs(type, count, NULL) + #define __field_offs(type, offset) __array_offs(type, 1, offset) + #define __field(type) __array_offs(type, 1, NULL) +@@ -277,10 +296,15 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e + unsigned long buffer_size = *data_size; + efi_status_t efi_status = EFI_SUCCESS; + unsigned long name_length; ++ dma_addr_t cmd_buf_dma; ++ size_t cmd_buf_size; ++ void *cmd_buf; + size_t guid_offs; + size_t name_offs; + size_t req_size; + size_t rsp_size; ++ size_t req_offs; ++ size_t rsp_offs; + ssize_t status; + + if (!name || !guid) +@@ -304,17 +328,19 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e + __array(u8, buffer_size) + ); + +- req_data = kzalloc(req_size, GFP_KERNEL); +- if (!req_data) { ++ cmd_buf_size = qcuefi_buf_align_fields( ++ __reqdata_offs(req_size, &req_offs) ++ __reqdata_offs(rsp_size, &rsp_offs) ++ ); ++ ++ cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL); ++ if (!cmd_buf) { + efi_status = EFI_OUT_OF_RESOURCES; + goto out; + } + +- rsp_data = kzalloc(rsp_size, GFP_KERNEL); +- if (!rsp_data) { +- efi_status = EFI_OUT_OF_RESOURCES; +- goto out_free_req; +- } ++ req_data = cmd_buf + req_offs; ++ rsp_data = cmd_buf + rsp_offs; + + req_data->command_id = QSEE_CMD_UEFI_GET_VARIABLE; + req_data->data_size = buffer_size; +@@ -332,7 +358,9 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e + + memcpy(((void *)req_data) + req_data->guid_offset, guid, req_data->guid_size); + +- status = qcom_qseecom_app_send(qcuefi->client, req_data, req_size, rsp_data, rsp_size); ++ status = qcom_qseecom_app_send(qcuefi->client, ++ cmd_buf_dma + req_offs, req_size, ++ cmd_buf_dma + rsp_offs, rsp_size); + if (status) { + efi_status = EFI_DEVICE_ERROR; + goto out_free; +@@ -407,9 +435,7 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e + memcpy(data, ((void *)rsp_data) + rsp_data->data_offset, rsp_data->data_size); + + out_free: +- kfree(rsp_data); +-out_free_req: +- kfree(req_data); ++ qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma); + out: + return efi_status; + } +@@ -422,10 +448,15 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e + struct qsee_rsp_uefi_set_variable *rsp_data; + efi_status_t efi_status = EFI_SUCCESS; + unsigned long name_length; ++ dma_addr_t cmd_buf_dma; ++ size_t cmd_buf_size; ++ void *cmd_buf; + size_t name_offs; + size_t guid_offs; + size_t data_offs; + size_t req_size; ++ size_t req_offs; ++ size_t rsp_offs; + ssize_t status; + + if (!name || !guid) +@@ -450,17 +481,19 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e + __array_offs(u8, data_size, &data_offs) + ); + +- req_data = kzalloc(req_size, GFP_KERNEL); +- if (!req_data) { ++ cmd_buf_size = qcuefi_buf_align_fields( ++ __reqdata_offs(req_size, &req_offs) ++ __reqdata_offs(sizeof(*rsp_data), &rsp_offs) ++ ); ++ ++ cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL); ++ if (!cmd_buf) { + efi_status = EFI_OUT_OF_RESOURCES; + goto out; + } + +- rsp_data = kzalloc(sizeof(*rsp_data), GFP_KERNEL); +- if (!rsp_data) { +- efi_status = EFI_OUT_OF_RESOURCES; +- goto out_free_req; +- } ++ req_data = cmd_buf + req_offs; ++ rsp_data = cmd_buf + rsp_offs; + + req_data->command_id = QSEE_CMD_UEFI_SET_VARIABLE; + req_data->attributes = attributes; +@@ -483,8 +516,9 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e + if (data_size) + memcpy(((void *)req_data) + req_data->data_offset, data, req_data->data_size); + +- status = qcom_qseecom_app_send(qcuefi->client, req_data, req_size, rsp_data, +- sizeof(*rsp_data)); ++ status = qcom_qseecom_app_send(qcuefi->client, ++ cmd_buf_dma + req_offs, req_size, ++ cmd_buf_dma + rsp_offs, sizeof(*rsp_data)); + if (status) { + efi_status = EFI_DEVICE_ERROR; + goto out_free; +@@ -507,9 +541,7 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e + } + + out_free: +- kfree(rsp_data); +-out_free_req: +- kfree(req_data); ++ qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma); + out: + return efi_status; + } +@@ -521,10 +553,15 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi, + struct qsee_req_uefi_get_next_variable *req_data; + struct qsee_rsp_uefi_get_next_variable *rsp_data; + efi_status_t efi_status = EFI_SUCCESS; ++ dma_addr_t cmd_buf_dma; ++ size_t cmd_buf_size; ++ void *cmd_buf; + size_t guid_offs; + size_t name_offs; + size_t req_size; + size_t rsp_size; ++ size_t req_offs; ++ size_t rsp_offs; + ssize_t status; + + if (!name_size || !name || !guid) +@@ -545,17 +582,19 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi, + __array(*name, *name_size / sizeof(*name)) + ); + +- req_data = kzalloc(req_size, GFP_KERNEL); +- if (!req_data) { ++ cmd_buf_size = qcuefi_buf_align_fields( ++ __reqdata_offs(req_size, &req_offs) ++ __reqdata_offs(rsp_size, &rsp_offs) ++ ); ++ ++ cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL); ++ if (!cmd_buf) { + efi_status = EFI_OUT_OF_RESOURCES; + goto out; + } + +- rsp_data = kzalloc(rsp_size, GFP_KERNEL); +- if (!rsp_data) { +- efi_status = EFI_OUT_OF_RESOURCES; +- goto out_free_req; +- } ++ req_data = cmd_buf + req_offs; ++ rsp_data = cmd_buf + rsp_offs; + + req_data->command_id = QSEE_CMD_UEFI_GET_NEXT_VARIABLE; + req_data->guid_offset = guid_offs; +@@ -572,7 +611,9 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi, + goto out_free; + } + +- status = qcom_qseecom_app_send(qcuefi->client, req_data, req_size, rsp_data, rsp_size); ++ status = qcom_qseecom_app_send(qcuefi->client, ++ cmd_buf_dma + req_offs, req_size, ++ cmd_buf_dma + rsp_offs, rsp_size); + if (status) { + efi_status = EFI_DEVICE_ERROR; + goto out_free; +@@ -645,9 +686,7 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi, + } + + out_free: +- kfree(rsp_data); +-out_free_req: +- kfree(req_data); ++ qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma); + out: + return efi_status; + } +@@ -659,26 +698,34 @@ static efi_status_t qsee_uefi_query_variable_info(struct qcuefi_client *qcuefi, + struct qsee_req_uefi_query_variable_info *req_data; + struct qsee_rsp_uefi_query_variable_info *rsp_data; + efi_status_t efi_status = EFI_SUCCESS; ++ dma_addr_t cmd_buf_dma; ++ size_t cmd_buf_size; ++ void *cmd_buf; ++ size_t req_offs; ++ size_t rsp_offs; + int status; + +- req_data = kzalloc(sizeof(*req_data), GFP_KERNEL); +- if (!req_data) { ++ cmd_buf_size = qcuefi_buf_align_fields( ++ __reqdata_offs(sizeof(*req_data), &req_offs) ++ __reqdata_offs(sizeof(*rsp_data), &rsp_offs) ++ ); ++ ++ cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL); ++ if (!cmd_buf) { + efi_status = EFI_OUT_OF_RESOURCES; + goto out; + } + +- rsp_data = kzalloc(sizeof(*rsp_data), GFP_KERNEL); +- if (!rsp_data) { +- efi_status = EFI_OUT_OF_RESOURCES; +- goto out_free_req; +- } ++ req_data = cmd_buf + req_offs; ++ rsp_data = cmd_buf + rsp_offs; + + req_data->command_id = QSEE_CMD_UEFI_QUERY_VARIABLE_INFO; + req_data->attributes = attr; + req_data->length = sizeof(*req_data); + +- status = qcom_qseecom_app_send(qcuefi->client, req_data, sizeof(*req_data), rsp_data, +- sizeof(*rsp_data)); ++ status = qcom_qseecom_app_send(qcuefi->client, ++ cmd_buf_dma + req_offs, sizeof(*req_data), ++ cmd_buf_dma + rsp_offs, sizeof(*rsp_data)); + if (status) { + efi_status = EFI_DEVICE_ERROR; + goto out_free; +@@ -711,9 +758,7 @@ static efi_status_t qsee_uefi_query_variable_info(struct qcuefi_client *qcuefi, + *max_variable_size = rsp_data->max_variable_size; + + out_free: +- kfree(rsp_data); +-out_free_req: +- kfree(req_data); ++ qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma); + out: + return efi_status; + } +diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c +index 520de9b5633a..90283f160a22 100644 +--- a/drivers/firmware/qcom/qcom_scm.c ++++ b/drivers/firmware/qcom/qcom_scm.c +@@ -1576,9 +1576,9 @@ EXPORT_SYMBOL_GPL(qcom_scm_qseecom_app_get_id); + /** + * qcom_scm_qseecom_app_send() - Send to and receive data from a given QSEE app. + * @app_id: The ID of the target app. +- * @req: Request buffer sent to the app (must be DMA-mappable). ++ * @req: DMA address of the request buffer sent to the app. + * @req_size: Size of the request buffer. +- * @rsp: Response buffer, written to by the app (must be DMA-mappable). ++ * @rsp: DMA address of the response buffer, written to by the app. + * @rsp_size: Size of the response buffer. + * + * Sends a request to the QSEE app associated with the given ID and read back +@@ -1589,33 +1589,13 @@ EXPORT_SYMBOL_GPL(qcom_scm_qseecom_app_get_id); + * + * Return: Zero on success, nonzero on failure. + */ +-int qcom_scm_qseecom_app_send(u32 app_id, void *req, size_t req_size, void *rsp, +- size_t rsp_size) ++int qcom_scm_qseecom_app_send(u32 app_id, dma_addr_t req, size_t req_size, ++ dma_addr_t rsp, size_t rsp_size) + { + struct qcom_scm_qseecom_resp res = {}; + struct qcom_scm_desc desc = {}; +- dma_addr_t req_phys; +- dma_addr_t rsp_phys; + int status; + +- /* Map request buffer */ +- req_phys = dma_map_single(__scm->dev, req, req_size, DMA_TO_DEVICE); +- status = dma_mapping_error(__scm->dev, req_phys); +- if (status) { +- dev_err(__scm->dev, "qseecom: failed to map request buffer\n"); +- return status; +- } +- +- /* Map response buffer */ +- rsp_phys = dma_map_single(__scm->dev, rsp, rsp_size, DMA_FROM_DEVICE); +- status = dma_mapping_error(__scm->dev, rsp_phys); +- if (status) { +- dma_unmap_single(__scm->dev, req_phys, req_size, DMA_TO_DEVICE); +- dev_err(__scm->dev, "qseecom: failed to map response buffer\n"); +- return status; +- } +- +- /* Set up SCM call data */ + desc.owner = QSEECOM_TZ_OWNER_TZ_APPS; + desc.svc = QSEECOM_TZ_SVC_APP_ID_PLACEHOLDER; + desc.cmd = QSEECOM_TZ_CMD_APP_SEND; +@@ -1623,18 +1603,13 @@ int qcom_scm_qseecom_app_send(u32 app_id, void *req, size_t req_size, void *rsp, + QCOM_SCM_RW, QCOM_SCM_VAL, + QCOM_SCM_RW, QCOM_SCM_VAL); + desc.args[0] = app_id; +- desc.args[1] = req_phys; ++ desc.args[1] = req; + desc.args[2] = req_size; +- desc.args[3] = rsp_phys; ++ desc.args[3] = rsp; + desc.args[4] = rsp_size; + +- /* Perform call */ + status = qcom_scm_qseecom_call(&desc, &res); + +- /* Unmap buffers */ +- dma_unmap_single(__scm->dev, rsp_phys, rsp_size, DMA_FROM_DEVICE); +- dma_unmap_single(__scm->dev, req_phys, req_size, DMA_TO_DEVICE); +- + if (status) + return status; + +diff --git a/include/linux/firmware/qcom/qcom_qseecom.h b/include/linux/firmware/qcom/qcom_qseecom.h +index 5c28298a98be..366243ee9609 100644 +--- a/include/linux/firmware/qcom/qcom_qseecom.h ++++ b/include/linux/firmware/qcom/qcom_qseecom.h +@@ -10,6 +10,7 @@ + #define __QCOM_QSEECOM_H + + #include <linux/auxiliary_bus.h> ++#include <linux/dma-mapping.h> + #include <linux/types.h> + + #include <linux/firmware/qcom/qcom_scm.h> +@@ -24,12 +25,57 @@ struct qseecom_client { + u32 app_id; + }; + ++/** ++ * qseecom_scm_dev() - Get the SCM device associated with the QSEECOM client. ++ * @client: The QSEECOM client device. ++ * ++ * Returns the SCM device under which the provided QSEECOM client device ++ * operates. This function is intended to be used for DMA allocations. ++ */ ++static inline struct device *qseecom_scm_dev(struct qseecom_client *client) ++{ ++ return client->aux_dev.dev.parent->parent; ++} ++ ++/** ++ * qseecom_dma_alloc() - Allocate DMA memory for a QSEECOM client. ++ * @client: The QSEECOM client to allocate the memory for. ++ * @size: The number of bytes to allocate. ++ * @dma_handle: Pointer to where the DMA address should be stored. ++ * @gfp: Allocation flags. ++ * ++ * Wrapper function for dma_alloc_coherent(), allocating DMA memory usable for ++ * TZ/QSEECOM communication. Refer to dma_alloc_coherent() for details. ++ */ ++static inline void *qseecom_dma_alloc(struct qseecom_client *client, size_t size, ++ dma_addr_t *dma_handle, gfp_t gfp) ++{ ++ return dma_alloc_coherent(qseecom_scm_dev(client), size, dma_handle, gfp); ++} ++ ++/** ++ * dma_free_coherent() - Free QSEECOM DMA memory. ++ * @client: The QSEECOM client for which the memory has been allocated. ++ * @size: The number of bytes allocated. ++ * @cpu_addr: Virtual memory address to free. ++ * @dma_handle: DMA memory address to free. ++ * ++ * Wrapper function for dma_free_coherent(), freeing memory previously ++ * allocated with qseecom_dma_alloc(). Refer to dma_free_coherent() for ++ * details. ++ */ ++static inline void qseecom_dma_free(struct qseecom_client *client, size_t size, ++ void *cpu_addr, dma_addr_t dma_handle) ++{ ++ return dma_free_coherent(qseecom_scm_dev(client), size, cpu_addr, dma_handle); ++} ++ + /** + * qcom_qseecom_app_send() - Send to and receive data from a given QSEE app. + * @client: The QSEECOM client associated with the target app. +- * @req: Request buffer sent to the app (must be DMA-mappable). ++ * @req: DMA address of the request buffer sent to the app. + * @req_size: Size of the request buffer. +- * @rsp: Response buffer, written to by the app (must be DMA-mappable). ++ * @rsp: DMA address of the response buffer, written to by the app. + * @rsp_size: Size of the response buffer. + * + * Sends a request to the QSEE app associated with the given client and read +@@ -43,8 +89,9 @@ struct qseecom_client { + * + * Return: Zero on success, nonzero on failure. + */ +-static inline int qcom_qseecom_app_send(struct qseecom_client *client, void *req, size_t req_size, +- void *rsp, size_t rsp_size) ++static inline int qcom_qseecom_app_send(struct qseecom_client *client, ++ dma_addr_t req, size_t req_size, ++ dma_addr_t rsp, size_t rsp_size) + { + return qcom_scm_qseecom_app_send(client->app_id, req, req_size, rsp, rsp_size); + } +diff --git a/include/linux/firmware/qcom/qcom_scm.h b/include/linux/firmware/qcom/qcom_scm.h +index ccaf28846054..aaa19f93ac43 100644 +--- a/include/linux/firmware/qcom/qcom_scm.h ++++ b/include/linux/firmware/qcom/qcom_scm.h +@@ -118,8 +118,8 @@ bool qcom_scm_lmh_dcvsh_available(void); + #ifdef CONFIG_QCOM_QSEECOM + + int qcom_scm_qseecom_app_get_id(const char *app_name, u32 *app_id); +-int qcom_scm_qseecom_app_send(u32 app_id, void *req, size_t req_size, void *rsp, +- size_t rsp_size); ++int qcom_scm_qseecom_app_send(u32 app_id, dma_addr_t req, size_t req_size, ++ dma_addr_t rsp, size_t rsp_size); + + #else /* CONFIG_QCOM_QSEECOM */ + +@@ -128,9 +128,9 @@ static inline int qcom_scm_qseecom_app_get_id(const char *app_name, u32 *app_id) + return -EINVAL; + } + +-static inline int qcom_scm_qseecom_app_send(u32 app_id, void *req, +- size_t req_size, void *rsp, +- size_t rsp_size) ++static inline int qcom_scm_qseecom_app_send(u32 app_id, ++ dma_addr_t req, size_t req_size, ++ dma_addr_t rsp, size_t rsp_size) + { + return -EINVAL; + } +-- +2.44.0 + diff --git a/queue-6.8/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch b/queue-6.8/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch new file mode 100644 index 0000000000..51e62783c9 --- /dev/null +++ b/queue-6.8/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch @@ -0,0 +1,113 @@ +From 642c984dd0e37dbaec9f87bd1211e5fac1f142bf Mon Sep 17 00:00:00 2001 +From: Rahul Rameshbabu <rrameshbabu@nvidia.com> +Date: Tue, 23 Apr 2024 11:13:04 -0700 +Subject: macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst + +From: Rahul Rameshbabu <rrameshbabu@nvidia.com> + +commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream. + +Can now correctly identify where the packets should be delivered by using +md_dst or its absence on devices that provide it. + +This detection is not possible without device drivers that update md_dst. A +fallback pattern should be used for supporting such device drivers. This +fallback mode causes multicast messages to be cloned to both the non-macsec +and macsec ports, independent of whether the multicast message received was +encrypted over MACsec or not. Other non-macsec traffic may also fail to be +handled correctly for devices in promiscuous mode. + +Link: https://lore.kernel.org/netdev/ZULRxX9eIbFiVi7v@hog/ +Cc: Sabrina Dubroca <sd@queasysnail.net> +Cc: stable@vger.kernel.org +Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support") +Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com> +Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com> +Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com> +Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> +Link: https://lore.kernel.org/r/20240423181319.115860-4-rrameshbabu@nvidia.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/macsec.c | 46 ++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 36 insertions(+), 10 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -999,10 +999,12 @@ static enum rx_handler_result handle_not + struct metadata_dst *md_dst; + struct macsec_rxh_data *rxd; + struct macsec_dev *macsec; ++ bool is_macsec_md_dst; + + rcu_read_lock(); + rxd = macsec_data_rcu(skb->dev); + md_dst = skb_metadata_dst(skb); ++ is_macsec_md_dst = md_dst && md_dst->type == METADATA_MACSEC; + + list_for_each_entry_rcu(macsec, &rxd->secys, secys) { + struct sk_buff *nskb; +@@ -1013,14 +1015,42 @@ static enum rx_handler_result handle_not + * the SecTAG, so we have to deduce which port to deliver to. + */ + if (macsec_is_offloaded(macsec) && netif_running(ndev)) { +- struct macsec_rx_sc *rx_sc = NULL; ++ const struct macsec_ops *ops; + +- if (md_dst && md_dst->type == METADATA_MACSEC) +- rx_sc = find_rx_sc(&macsec->secy, md_dst->u.macsec_info.sci); ++ ops = macsec_get_ops(macsec, NULL); + +- if (md_dst && md_dst->type == METADATA_MACSEC && !rx_sc) ++ if (ops->rx_uses_md_dst && !is_macsec_md_dst) + continue; + ++ if (is_macsec_md_dst) { ++ struct macsec_rx_sc *rx_sc; ++ ++ /* All drivers that implement MACsec offload ++ * support using skb metadata destinations must ++ * indicate that they do so. ++ */ ++ DEBUG_NET_WARN_ON_ONCE(!ops->rx_uses_md_dst); ++ rx_sc = find_rx_sc(&macsec->secy, ++ md_dst->u.macsec_info.sci); ++ if (!rx_sc) ++ continue; ++ /* device indicated macsec offload occurred */ ++ skb->dev = ndev; ++ skb->pkt_type = PACKET_HOST; ++ eth_skb_pkt_type(skb, ndev); ++ ret = RX_HANDLER_ANOTHER; ++ goto out; ++ } ++ ++ /* This datapath is insecure because it is unable to ++ * enforce isolation of broadcast/multicast traffic and ++ * unicast traffic with promiscuous mode on the macsec ++ * netdev. Since the core stack has no mechanism to ++ * check that the hardware did indeed receive MACsec ++ * traffic, it is possible that the response handling ++ * done by the MACsec port was to a plaintext packet. ++ * This violates the MACsec protocol standard. ++ */ + if (ether_addr_equal_64bits(hdr->h_dest, + ndev->dev_addr)) { + /* exact match, divert skb to this port */ +@@ -1036,14 +1066,10 @@ static enum rx_handler_result handle_not + break; + + nskb->dev = ndev; +- if (ether_addr_equal_64bits(hdr->h_dest, +- ndev->broadcast)) +- nskb->pkt_type = PACKET_BROADCAST; +- else +- nskb->pkt_type = PACKET_MULTICAST; ++ eth_skb_pkt_type(nskb, ndev); + + __netif_rx(nskb); +- } else if (rx_sc || ndev->flags & IFF_PROMISC) { ++ } else if (ndev->flags & IFF_PROMISC) { + skb->dev = ndev; + skb->pkt_type = PACKET_HOST; + ret = RX_HANDLER_ANOTHER; diff --git a/queue-6.8/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch b/queue-6.8/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch new file mode 100644 index 0000000000..7d8d596d38 --- /dev/null +++ b/queue-6.8/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch @@ -0,0 +1,47 @@ +From 475747a19316b08e856c666a20503e73d7ed67ed Mon Sep 17 00:00:00 2001 +From: Rahul Rameshbabu <rrameshbabu@nvidia.com> +Date: Tue, 23 Apr 2024 11:13:02 -0700 +Subject: macsec: Enable devices to advertise whether they update sk_buff md_dst during offloads + +From: Rahul Rameshbabu <rrameshbabu@nvidia.com> + +commit 475747a19316b08e856c666a20503e73d7ed67ed upstream. + +Cannot know whether a Rx skb missing md_dst is intended for MACsec or not +without knowing whether the device is able to update this field during an +offload. Assume that an offload to a MACsec device cannot support updating +md_dst by default. Capable devices can advertise that they do indicate that +an skb is related to a MACsec offloaded packet using the md_dst. + +Cc: Sabrina Dubroca <sd@queasysnail.net> +Cc: stable@vger.kernel.org +Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support") +Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com> +Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com> +Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com> +Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> +Link: https://lore.kernel.org/r/20240423181319.115860-2-rrameshbabu@nvidia.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + include/net/macsec.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/net/macsec.h ++++ b/include/net/macsec.h +@@ -321,6 +321,7 @@ struct macsec_context { + * for the TX tag + * @needed_tailroom: number of bytes reserved at the end of the sk_buff for the + * TX tag ++ * @rx_uses_md_dst: whether MACsec device offload supports sk_buff md_dst + */ + struct macsec_ops { + /* Device wide */ +@@ -352,6 +353,7 @@ struct macsec_ops { + struct sk_buff *skb); + unsigned int needed_headroom; + unsigned int needed_tailroom; ++ bool rx_uses_md_dst; + }; + + void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa); diff --git a/queue-6.8/mtd-diskonchip-work-around-ubsan-link-failure.patch b/queue-6.8/mtd-diskonchip-work-around-ubsan-link-failure.patch new file mode 100644 index 0000000000..78d89fe896 --- /dev/null +++ b/queue-6.8/mtd-diskonchip-work-around-ubsan-link-failure.patch @@ -0,0 +1,56 @@ +From 21c9fb611c25d5cd038f6fe485232e7884bb0b3d Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann <arnd@arndb.de> +Date: Fri, 5 Apr 2024 16:30:04 +0200 +Subject: mtd: diskonchip: work around ubsan link failure + +From: Arnd Bergmann <arnd@arndb.de> + +commit 21c9fb611c25d5cd038f6fe485232e7884bb0b3d upstream. + +I ran into a randconfig build failure with UBSAN using gcc-13.2: + +arm-linux-gnueabi-ld: error: unplaced orphan section `.bss..Lubsan_data31' from `drivers/mtd/nand/raw/diskonchip.o' + +I'm not entirely sure what is going on here, but I suspect this has something +to do with the check for the end of the doc_locations[] array that contains +an (unsigned long)0xffffffff element, which is compared against the signed +(int)0xffffffff. If this is the case, we should get a runtime check for +undefined behavior, but we instead get an unexpected build-time error. + +I would have expected this to work fine on 32-bit architectures despite the +signed integer overflow, though on 64-bit architectures this likely won't +ever work. + +Changing the contition to instead check for the size of the array makes the +code safe everywhere and avoids the ubsan check that leads to the link +error. The loop code goes back to before 2.6.12. + +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> +Link: https://lore.kernel.org/linux-mtd/20240405143015.717429-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/mtd/nand/raw/diskonchip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/raw/diskonchip.c ++++ b/drivers/mtd/nand/raw/diskonchip.c +@@ -53,7 +53,7 @@ static unsigned long doc_locations[] __i + 0xe8000, 0xea000, 0xec000, 0xee000, + #endif + #endif +- 0xffffffff }; ++}; + + static struct mtd_info *doclist = NULL; + +@@ -1554,7 +1554,7 @@ static int __init init_nanddoc(void) + if (ret < 0) + return ret; + } else { +- for (i = 0; (doc_locations[i] != 0xffffffff); i++) { ++ for (i = 0; i < ARRAY_SIZE(doc_locations); i++) { + doc_probe(doc_locations[i]); + } + } diff --git a/queue-6.8/mtd-limit-otp-nvmem-cell-parse-to-non-nand-devices.patch b/queue-6.8/mtd-limit-otp-nvmem-cell-parse-to-non-nand-devices.patch new file mode 100644 index 0000000000..55a4419f10 --- /dev/null +++ b/queue-6.8/mtd-limit-otp-nvmem-cell-parse-to-non-nand-devices.patch @@ -0,0 +1,57 @@ +From d2d73a6dd17365c43e109263841f7c26da55cfb0 Mon Sep 17 00:00:00 2001 +From: Christian Marangi <ansuelsmth@gmail.com> +Date: Fri, 12 Apr 2024 12:50:26 +0200 +Subject: mtd: limit OTP NVMEM cell parse to non-NAND devices + +From: Christian Marangi <ansuelsmth@gmail.com> + +commit d2d73a6dd17365c43e109263841f7c26da55cfb0 upstream. + +MTD OTP logic is very fragile on parsing NVMEM cell and can be +problematic with some specific kind of devices. + +The problem was discovered by e87161321a40 ("mtd: rawnand: macronix: +OTP access for MX30LFxG18AC") where OTP support was added to a NAND +device. With the case of NAND devices, it does require a node where ECC +info are declared and all the fixed partitions, and this cause the OTP +codepath to parse this node as OTP NVMEM cells, making probe fail and +the NAND device registration fail. + +MTD OTP parsing should have been limited to always using compatible to +prevent this error by using node with compatible "otp-user" or +"otp-factory". + +NVMEM across the years had various iteration on how cells could be +declared in DT, in some old implementation, no_of_node should have been +enabled but now add_legacy_fixed_of_cells should be used to disable +NVMEM to parse child node as NVMEM cell. + +To fix this and limit any regression with other MTD that makes use of +declaring OTP as direct child of the dev node, disable +add_legacy_fixed_of_cells if we detect the MTD type is Nand. + +With the following logic, the OTP NVMEM entry is correctly created with +no cells and the MTD Nand is correctly probed and partitions are +correctly exposed. + +Fixes: 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") +Cc: <stable@vger.kernel.org> # v6.7+ +Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> +Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> +Link: https://lore.kernel.org/linux-mtd/20240412105030.1598-1-ansuelsmth@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/mtd/mtdcore.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/mtdcore.c ++++ b/drivers/mtd/mtdcore.c +@@ -900,7 +900,7 @@ static struct nvmem_device *mtd_otp_nvme + config.name = compatible; + config.id = NVMEM_DEVID_AUTO; + config.owner = THIS_MODULE; +- config.add_legacy_fixed_of_cells = true; ++ config.add_legacy_fixed_of_cells = !mtd_type_is_nand(mtd); + config.type = NVMEM_TYPE_OTP; + config.root_only = true; + config.ignore_wp = true; diff --git a/queue-6.8/net-b44-set-pause-params-only-when-interface-is-up.patch b/queue-6.8/net-b44-set-pause-params-only-when-interface-is-up.patch new file mode 100644 index 0000000000..01e9da9b65 --- /dev/null +++ b/queue-6.8/net-b44-set-pause-params-only-when-interface-is-up.patch @@ -0,0 +1,61 @@ +From e3eb7dd47bd4806f00e104eb6da092c435f9fb21 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Peter=20M=C3=BCnster?= <pm@a16n.net> +Date: Wed, 24 Apr 2024 15:51:52 +0200 +Subject: net: b44: set pause params only when interface is up +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Münster <pm@a16n.net> + +commit e3eb7dd47bd4806f00e104eb6da092c435f9fb21 upstream. + +b44_free_rings() accesses b44::rx_buffers (and ::tx_buffers) +unconditionally, but b44::rx_buffers is only valid when the +device is up (they get allocated in b44_open(), and deallocated +again in b44_close()), any other time these are just a NULL pointers. + +So if you try to change the pause params while the network interface +is disabled/administratively down, everything explodes (which likely +netifd tries to do). + +Link: https://github.com/openwrt/openwrt/issues/13789 +Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2) +Cc: stable@vger.kernel.org +Reported-by: Peter Münster <pm@a16n.net> +Suggested-by: Jonas Gorski <jonas.gorski@gmail.com> +Signed-off-by: Vaclav Svoboda <svoboda@neng.cz> +Tested-by: Peter Münster <pm@a16n.net> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: Peter Münster <pm@a16n.net> +Reviewed-by: Michael Chan <michael.chan@broadcom.com> +Link: https://lore.kernel.org/r/87y192oolj.fsf@a16n.net +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/ethernet/broadcom/b44.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/broadcom/b44.c ++++ b/drivers/net/ethernet/broadcom/b44.c +@@ -2009,12 +2009,14 @@ static int b44_set_pauseparam(struct net + bp->flags |= B44_FLAG_TX_PAUSE; + else + bp->flags &= ~B44_FLAG_TX_PAUSE; +- if (bp->flags & B44_FLAG_PAUSE_AUTO) { +- b44_halt(bp); +- b44_init_rings(bp); +- b44_init_hw(bp, B44_FULL_RESET); +- } else { +- __b44_set_flow_ctrl(bp, bp->flags); ++ if (netif_running(dev)) { ++ if (bp->flags & B44_FLAG_PAUSE_AUTO) { ++ b44_halt(bp); ++ b44_init_rings(bp); ++ b44_init_hw(bp, B44_FULL_RESET); ++ } else { ++ __b44_set_flow_ctrl(bp, bp->flags); ++ } + } + spin_unlock_irq(&bp->lock); + diff --git a/queue-6.8/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch b/queue-6.8/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch new file mode 100644 index 0000000000..e00db17130 --- /dev/null +++ b/queue-6.8/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch @@ -0,0 +1,37 @@ +From 39d26a8f2efcb8b5665fe7d54a7dba306a8f1dff Mon Sep 17 00:00:00 2001 +From: Rahul Rameshbabu <rrameshbabu@nvidia.com> +Date: Tue, 23 Apr 2024 11:13:05 -0700 +Subject: net/mlx5e: Advertise mlx5 ethernet driver updates sk_buff md_dst for MACsec + +From: Rahul Rameshbabu <rrameshbabu@nvidia.com> + +commit 39d26a8f2efcb8b5665fe7d54a7dba306a8f1dff upstream. + +mlx5 Rx flow steering and CQE handling enable the driver to be able to +update an skb's md_dst attribute as MACsec when MACsec traffic arrives when +a device is configured for offloading. Advertise this to the core stack to +take advantage of this capability. + +Cc: stable@vger.kernel.org +Fixes: b7c9400cbc48 ("net/mlx5e: Implement MACsec Rx data path using MACsec skb_metadata_dst") +Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com> +Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com> +Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com> +Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> +Link: https://lore.kernel.org/r/20240423181319.115860-5-rrameshbabu@nvidia.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c +@@ -1640,6 +1640,7 @@ static const struct macsec_ops macsec_of + .mdo_add_secy = mlx5e_macsec_add_secy, + .mdo_upd_secy = mlx5e_macsec_upd_secy, + .mdo_del_secy = mlx5e_macsec_del_secy, ++ .rx_uses_md_dst = true, + }; + + bool mlx5e_macsec_handle_tx_skb(struct mlx5e_macsec *macsec, struct sk_buff *skb) diff --git a/queue-6.8/phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch b/queue-6.8/phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch new file mode 100644 index 0000000000..e7a59e4239 --- /dev/null +++ b/queue-6.8/phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch @@ -0,0 +1,55 @@ +From ee13e1f3c72b9464a4d73017c060ab503eed653a Mon Sep 17 00:00:00 2001 +From: Stephen Boyd <swboyd@chromium.org> +Date: Thu, 4 Apr 2024 17:01:03 -0700 +Subject: phy: qcom: qmp-combo: Fix register base for QSERDES_DP_PHY_MODE + +From: Stephen Boyd <swboyd@chromium.org> + +commit ee13e1f3c72b9464a4d73017c060ab503eed653a upstream. + +The register base that was used to write to the QSERDES_DP_PHY_MODE +register was 'dp_dp_phy' before commit 815891eee668 ("phy: +qcom-qmp-combo: Introduce orientation variable"). There isn't any +explanation in the commit why this is changed, so I suspect it was an +oversight or happened while being extracted from some other series. +Oddly the value being 0x4c or 0x5c doesn't seem to matter for me, so I +suspect this is dead code, but that can be fixed in another patch. It's +not good to write to the wrong register space, and maybe some other +version of this phy relies on this. + +Cc: Douglas Anderson <dianders@chromium.org> +Cc: Abhinav Kumar <quic_abhinavk@quicinc.com> +Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> +Cc: Neil Armstrong <neil.armstrong@linaro.org> +Cc: Abel Vesa <abel.vesa@linaro.org> +Cc: Steev Klimaszewski <steev@kali.org> +Cc: Johan Hovold <johan+linaro@kernel.org> +Cc: Bjorn Andersson <quic_bjorande@quicinc.com> +Cc: stable@vger.kernel.org # 6.5 +Fixes: 815891eee668 ("phy: qcom-qmp-combo: Introduce orientation variable") +Signed-off-by: Stephen Boyd <swboyd@chromium.org> +Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com> +Reviewed-by: Bjorn Andersson <quic_bjorande@quicinc.com> +Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> +Reviewed-by: Johan Hovold <johan+linaro@kernel.org> +Link: https://lore.kernel.org/r/20240405000111.1450598-1-swboyd@chromium.org +Signed-off-by: Vinod Koul <vkoul@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c +@@ -2211,9 +2211,9 @@ static bool qmp_combo_configure_dp_mode( + writel(val, qmp->dp_dp_phy + QSERDES_DP_PHY_PD_CTL); + + if (reverse) +- writel(0x4c, qmp->pcs + QSERDES_DP_PHY_MODE); ++ writel(0x4c, qmp->dp_dp_phy + QSERDES_DP_PHY_MODE); + else +- writel(0x5c, qmp->pcs + QSERDES_DP_PHY_MODE); ++ writel(0x5c, qmp->dp_dp_phy + QSERDES_DP_PHY_MODE); + + return reverse; + } diff --git a/queue-6.8/phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch b/queue-6.8/phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch new file mode 100644 index 0000000000..e60377639f --- /dev/null +++ b/queue-6.8/phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch @@ -0,0 +1,87 @@ +From 5abed58a8bde6d349bde364a160510b5bb904d18 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd <swboyd@chromium.org> +Date: Thu, 4 Apr 2024 16:43:44 -0700 +Subject: phy: qcom: qmp-combo: Fix VCO div offset on v3 + +From: Stephen Boyd <swboyd@chromium.org> + +commit 5abed58a8bde6d349bde364a160510b5bb904d18 upstream. + +Commit ec17373aebd0 ("phy: qcom: qmp-combo: extract common function to +setup clocks") changed the offset that is used to write to +DP_PHY_VCO_DIV from QSERDES_V3_DP_PHY_VCO_DIV to +QSERDES_V4_DP_PHY_VCO_DIV. Unfortunately, this offset is different +between v3 and v4 phys: + + #define QSERDES_V3_DP_PHY_VCO_DIV 0x064 + #define QSERDES_V4_DP_PHY_VCO_DIV 0x070 + +meaning that we write the wrong register on v3 phys now. Add another +generic register to 'regs' and use it here instead of a version specific +define to fix this. + +This was discovered after Abhinav looked over register dumps with me +from sc7180 Trogdor devices that started failing to light up the +external display with v6.6 based kernels. It turns out that some +monitors are very specific about their link clk frequency and if the +default power on reset value is still there the monitor will show a +blank screen or a garbled display. Other monitors are perfectly happy to +get a bad clock signal. + +Cc: Douglas Anderson <dianders@chromium.org> +Cc: Abhinav Kumar <quic_abhinavk@quicinc.com> +Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> +Fixes: ec17373aebd0 ("phy: qcom: qmp-combo: extract common function to setup clocks") +Signed-off-by: Stephen Boyd <swboyd@chromium.org> +Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com> +Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> +Link: https://lore.kernel.org/r/20240404234345.1446300-1-swboyd@chromium.org +Signed-off-by: Vinod Koul <vkoul@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c +@@ -112,6 +112,7 @@ enum qphy_reg_layout { + QPHY_COM_BIAS_EN_CLKBUFLR_EN, + + QPHY_DP_PHY_STATUS, ++ QPHY_DP_PHY_VCO_DIV, + + QPHY_TX_TX_POL_INV, + QPHY_TX_TX_DRV_LVL, +@@ -137,6 +138,7 @@ static const unsigned int qmp_v3_usb3phy + [QPHY_COM_BIAS_EN_CLKBUFLR_EN] = QSERDES_V3_COM_BIAS_EN_CLKBUFLR_EN, + + [QPHY_DP_PHY_STATUS] = QSERDES_V3_DP_PHY_STATUS, ++ [QPHY_DP_PHY_VCO_DIV] = QSERDES_V3_DP_PHY_VCO_DIV, + + [QPHY_TX_TX_POL_INV] = QSERDES_V3_TX_TX_POL_INV, + [QPHY_TX_TX_DRV_LVL] = QSERDES_V3_TX_TX_DRV_LVL, +@@ -161,6 +163,7 @@ static const unsigned int qmp_v45_usb3ph + [QPHY_COM_BIAS_EN_CLKBUFLR_EN] = QSERDES_V4_COM_BIAS_EN_CLKBUFLR_EN, + + [QPHY_DP_PHY_STATUS] = QSERDES_V4_DP_PHY_STATUS, ++ [QPHY_DP_PHY_VCO_DIV] = QSERDES_V4_DP_PHY_VCO_DIV, + + [QPHY_TX_TX_POL_INV] = QSERDES_V4_TX_TX_POL_INV, + [QPHY_TX_TX_DRV_LVL] = QSERDES_V4_TX_TX_DRV_LVL, +@@ -2223,6 +2226,7 @@ static int qmp_combo_configure_dp_clocks + const struct phy_configure_opts_dp *dp_opts = &qmp->dp_opts; + u32 phy_vco_div; + unsigned long pixel_freq; ++ const struct qmp_phy_cfg *cfg = qmp->cfg; + + switch (dp_opts->link_rate) { + case 1620: +@@ -2245,7 +2249,7 @@ static int qmp_combo_configure_dp_clocks + /* Other link rates aren't supported */ + return -EINVAL; + } +- writel(phy_vco_div, qmp->dp_dp_phy + QSERDES_V4_DP_PHY_VCO_DIV); ++ writel(phy_vco_div, qmp->dp_dp_phy + cfg->regs[QPHY_DP_PHY_VCO_DIV]); + + clk_set_rate(qmp->dp_link_hw.clk, dp_opts->link_rate * 100000); + clk_set_rate(qmp->dp_pixel_hw.clk, pixel_freq); diff --git a/queue-6.8/series b/queue-6.8/series index a8d533f769..ee9a5060ce 100644 --- a/queue-6.8/series +++ b/queue-6.8/series @@ -182,3 +182,17 @@ irqchip-gic-v3-its-prevent-double-free-on-error.patch acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch acpi-cppc-fix-access-width-used-for-pcc-registers.patch +net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch +ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch +net-b44-set-pause-params-only-when-interface-is-up.patch +macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch +macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch +stackdepot-respect-__gfp_nolockdep-allocation-flag.patch +fbdev-fix-incorrect-address-computation-in-deferred-io.patch +udp-preserve-the-connected-status-if-only-udp-cmsg.patch +wifi-nl80211-don-t-free-null-coalescing-rule.patch +mtd-limit-otp-nvmem-cell-parse-to-non-nand-devices.patch +mtd-diskonchip-work-around-ubsan-link-failure.patch +firmware-qcom-uefisecapp-fix-memory-related-io-errors-and-crashes.patch +phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch +phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch diff --git a/queue-6.8/stackdepot-respect-__gfp_nolockdep-allocation-flag.patch b/queue-6.8/stackdepot-respect-__gfp_nolockdep-allocation-flag.patch new file mode 100644 index 0000000000..39312d2fe8 --- /dev/null +++ b/queue-6.8/stackdepot-respect-__gfp_nolockdep-allocation-flag.patch @@ -0,0 +1,95 @@ +From 6fe60465e1d53ea321ee909be26d97529e8f746c Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin <ryabinin.a.a@gmail.com> +Date: Thu, 18 Apr 2024 16:11:33 +0200 +Subject: stackdepot: respect __GFP_NOLOCKDEP allocation flag + +From: Andrey Ryabinin <ryabinin.a.a@gmail.com> + +commit 6fe60465e1d53ea321ee909be26d97529e8f746c upstream. + +If stack_depot_save_flags() allocates memory it always drops +__GFP_NOLOCKDEP flag. So when KASAN tries to track __GFP_NOLOCKDEP +allocation we may end up with lockdep splat like bellow: + +====================================================== + WARNING: possible circular locking dependency detected + 6.9.0-rc3+ #49 Not tainted + ------------------------------------------------------ + kswapd0/149 is trying to acquire lock: + ffff88811346a920 +(&xfs_nondir_ilock_class){++++}-{4:4}, at: xfs_reclaim_inode+0x3ac/0x590 +[xfs] + + but task is already holding lock: + ffffffff8bb33100 (fs_reclaim){+.+.}-{0:0}, at: +balance_pgdat+0x5d9/0xad0 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + -> #1 (fs_reclaim){+.+.}-{0:0}: + __lock_acquire+0x7da/0x1030 + lock_acquire+0x15d/0x400 + fs_reclaim_acquire+0xb5/0x100 + prepare_alloc_pages.constprop.0+0xc5/0x230 + __alloc_pages+0x12a/0x3f0 + alloc_pages_mpol+0x175/0x340 + stack_depot_save_flags+0x4c5/0x510 + kasan_save_stack+0x30/0x40 + kasan_save_track+0x10/0x30 + __kasan_slab_alloc+0x83/0x90 + kmem_cache_alloc+0x15e/0x4a0 + __alloc_object+0x35/0x370 + __create_object+0x22/0x90 + __kmalloc_node_track_caller+0x477/0x5b0 + krealloc+0x5f/0x110 + xfs_iext_insert_raw+0x4b2/0x6e0 [xfs] + xfs_iext_insert+0x2e/0x130 [xfs] + xfs_iread_bmbt_block+0x1a9/0x4d0 [xfs] + xfs_btree_visit_block+0xfb/0x290 [xfs] + xfs_btree_visit_blocks+0x215/0x2c0 [xfs] + xfs_iread_extents+0x1a2/0x2e0 [xfs] + xfs_buffered_write_iomap_begin+0x376/0x10a0 [xfs] + iomap_iter+0x1d1/0x2d0 + iomap_file_buffered_write+0x120/0x1a0 + xfs_file_buffered_write+0x128/0x4b0 [xfs] + vfs_write+0x675/0x890 + ksys_write+0xc3/0x160 + do_syscall_64+0x94/0x170 + entry_SYSCALL_64_after_hwframe+0x71/0x79 + +Always preserve __GFP_NOLOCKDEP to fix this. + +Link: https://lkml.kernel.org/r/20240418141133.22950-1-ryabinin.a.a@gmail.com +Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") +Signed-off-by: Andrey Ryabinin <ryabinin.a.a@gmail.com> +Reported-by: Xiubo Li <xiubli@redhat.com> +Closes: https://lore.kernel.org/all/a0caa289-ca02-48eb-9bf2-d86fd47b71f4@redhat.com/ +Reported-by: Damien Le Moal <damien.lemoal@opensource.wdc.com> +Closes: https://lore.kernel.org/all/f9ff999a-e170-b66b-7caf-293f2b147ac2@opensource.wdc.com/ +Suggested-by: Dave Chinner <david@fromorbit.com> +Tested-by: Xiubo Li <xiubli@redhat.com> +Cc: Christoph Hellwig <hch@infradead.org> +Cc: Alexander Potapenko <glider@google.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + lib/stackdepot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/stackdepot.c ++++ b/lib/stackdepot.c +@@ -627,10 +627,10 @@ depot_stack_handle_t stack_depot_save_fl + /* + * Zero out zone modifiers, as we don't have specific zone + * requirements. Keep the flags related to allocation in atomic +- * contexts and I/O. ++ * contexts, I/O, nolockdep. + */ + alloc_flags &= ~GFP_ZONEMASK; +- alloc_flags &= (GFP_ATOMIC | GFP_KERNEL); ++ alloc_flags &= (GFP_ATOMIC | GFP_KERNEL | __GFP_NOLOCKDEP); + alloc_flags |= __GFP_NOWARN; + page = alloc_pages(alloc_flags, DEPOT_POOL_ORDER); + if (page) diff --git a/queue-6.8/udp-preserve-the-connected-status-if-only-udp-cmsg.patch b/queue-6.8/udp-preserve-the-connected-status-if-only-udp-cmsg.patch new file mode 100644 index 0000000000..b35b4fddb6 --- /dev/null +++ b/queue-6.8/udp-preserve-the-connected-status-if-only-udp-cmsg.patch @@ -0,0 +1,70 @@ +From 680d11f6e5427b6af1321932286722d24a8b16c1 Mon Sep 17 00:00:00 2001 +From: Yick Xie <yick.xie@gmail.com> +Date: Fri, 19 Apr 2024 01:06:10 +0800 +Subject: udp: preserve the connected status if only UDP cmsg + +From: Yick Xie <yick.xie@gmail.com> + +commit 680d11f6e5427b6af1321932286722d24a8b16c1 upstream. + +If "udp_cmsg_send()" returned 0 (i.e. only UDP cmsg), +"connected" should not be set to 0. Otherwise it stops +the connected socket from using the cached route. + +Fixes: 2e8de8576343 ("udp: add gso segment cmsg") +Signed-off-by: Yick Xie <yick.xie@gmail.com> +Cc: stable@vger.kernel.org +Reviewed-by: Willem de Bruijn <willemb@google.com> +Link: https://lore.kernel.org/r/20240418170610.867084-1-yick.xie@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/ipv4/udp.c | 5 +++-- + net/ipv6/udp.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1125,16 +1125,17 @@ int udp_sendmsg(struct sock *sk, struct + + if (msg->msg_controllen) { + err = udp_cmsg_send(sk, msg, &ipc.gso_size); +- if (err > 0) ++ if (err > 0) { + err = ip_cmsg_send(sk, msg, &ipc, + sk->sk_family == AF_INET6); ++ connected = 0; ++ } + if (unlikely(err < 0)) { + kfree(ipc.opt); + return err; + } + if (ipc.opt) + free = 1; +- connected = 0; + } + if (!ipc.opt) { + struct ip_options_rcu *inet_opt; +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1476,9 +1476,11 @@ do_udp_sendmsg: + ipc6.opt = opt; + + err = udp_cmsg_send(sk, msg, &ipc6.gso_size); +- if (err > 0) ++ if (err > 0) { + err = ip6_datagram_send_ctl(sock_net(sk), sk, msg, fl6, + &ipc6); ++ connected = false; ++ } + if (err < 0) { + fl6_sock_release(flowlabel); + return err; +@@ -1490,7 +1492,6 @@ do_udp_sendmsg: + } + if (!(opt->opt_nflen|opt->opt_flen)) + opt = NULL; +- connected = false; + } + if (!opt) { + opt = txopt_get(np); diff --git a/queue-6.8/wifi-nl80211-don-t-free-null-coalescing-rule.patch b/queue-6.8/wifi-nl80211-don-t-free-null-coalescing-rule.patch new file mode 100644 index 0000000000..57f394cc14 --- /dev/null +++ b/queue-6.8/wifi-nl80211-don-t-free-null-coalescing-rule.patch @@ -0,0 +1,32 @@ +From 801ea33ae82d6a9d954074fbcf8ea9d18f1543a7 Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Thu, 18 Apr 2024 10:52:23 +0200 +Subject: wifi: nl80211: don't free NULL coalescing rule + +From: Johannes Berg <johannes.berg@intel.com> + +commit 801ea33ae82d6a9d954074fbcf8ea9d18f1543a7 upstream. + +If the parsing fails, we can dereference a NULL pointer here. + +Cc: stable@vger.kernel.org +Fixes: be29b99a9b51 ("cfg80211/nl80211: Add packet coalesce support") +Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> +Link: https://msgid.link/20240418105220.b328f80406e7.Id75d961050deb05b3e4e354e024866f350c68103@changeid +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/wireless/nl80211.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -14092,6 +14092,8 @@ static int nl80211_set_coalesce(struct s + error: + for (i = 0; i < new_coalesce.n_rules; i++) { + tmp_rule = &new_coalesce.rules[i]; ++ if (!tmp_rule) ++ continue; + for (j = 0; j < tmp_rule->n_patterns; j++) + kfree(tmp_rule->patterns[j].mask); + kfree(tmp_rule->patterns); |