5.10-stable patches

added patches:
	net-bcmgenet-fix-eee-implementation.patch
	netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch

diff --git a/queue-5.10/cifs-fix-off-by-one-in-smb2_query_info_init.patch b/queue-5.10/cifs-fix-off-by-one-in-smb2_query_info_init.patch
deleted file mode 100644 (file)
index 5235b1a..0000000
--- a/queue-5.10/cifs-fix-off-by-one-in-smb2_query_info_init.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From harshit.m.mogalapalli@oracle.com  Mon Jan 29 08:14:10 2024
-From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
-Date: Sun, 28 Jan 2024 21:43:42 -0800
-Subject: cifs: fix off-by-one in SMB2_query_info_init()
-To: stable@vger.kernel.org
-Cc: kovalev@altlinux.org, abuehaze@amazon.com, smfrench@gmail.com, greg@kroah.com, linux-cifs@vger.kernel.org, keescook@chromium.org, darren.kenny@oracle.com, pc@manguebit.com, nspmangalore@gmail.com, vegard.nossum@oracle.com, Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
-Message-ID: <20240129054342.2472454-1-harshit.m.mogalapalli@oracle.com>
-
-From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
-
-Bug: After mounting the cifs fs, it complains with Resource temporarily
-unavailable messages.
-
-[root@vm1 xfstests-dev]# ./check -g quick -s smb3
-TEST_DEV=//<SERVER_IP>/TEST is mounted but not a type cifs filesystem
-[root@vm1 xfstests-dev]# df
-df: /mnt/test: Resource temporarily unavailable
-
-Paul's analysis of the bug:
-
-       Bug is related to an off-by-one in smb2_set_next_command() when
-       the client attempts to pad SMB2_QUERY_INFO request -- since it isn't
-       8 byte aligned -- even though smb2_query_info_compound() doesn't
-       provide an extra iov for such padding.
-
-       v5.10.y doesn't have
-
-        eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
-
-       and the commit does
-
-               if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) ||
-                            len > CIFSMaxBufSize))
-                       return -EINVAL;
-
-       so sizeof(*req) will wrongly include the extra byte from
-       smb2_query_info_req::Buffer making @len unaligned and therefore causing
-       OOB in smb2_set_next_command().
-
-Fixes: 203a412e52b5 ("smb: client: fix OOB in SMB2_query_info_init()")
-Suggested-by: Paulo Alcantara <pc@manguebit.com>
-Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/cifs/smb2pdu.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/cifs/smb2pdu.c
-+++ b/fs/cifs/smb2pdu.c
-@@ -3378,7 +3378,7 @@ SMB2_query_info_init(struct cifs_tcon *t
- 
-       iov[0].iov_base = (char *)req;
-       /* 1 for Buffer */
--      iov[0].iov_len = len;
-+      iov[0].iov_len = len - 1;
-       return 0;
- }
- 

diff --git a/queue-5.10/net-bcmgenet-fix-eee-implementation.patch b/queue-5.10/net-bcmgenet-fix-eee-implementation.patch
new file mode 100644 (file)
index 0000000..c5ddf4b
--- /dev/null
+++ b/queue-5.10/net-bcmgenet-fix-eee-implementation.patch
@@ -0,0 +1,142 @@
+From a9f31047baca57d47440c879cf259b86f900260c Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <florian.fainelli@broadcom.com>
+Date: Tue, 6 Jun 2023 14:43:47 -0700
+Subject: net: bcmgenet: Fix EEE implementation
+
+From: Florian Fainelli <florian.fainelli@broadcom.com>
+
+commit a9f31047baca57d47440c879cf259b86f900260c upstream.
+
+We had a number of short comings:
+
+- EEE must be re-evaluated whenever the state machine detects a link
+  change as wight be switching from a link partner with EEE
+  enabled/disabled
+
+- tx_lpi_enabled controls whether EEE should be enabled/disabled for the
+  transmit path, which applies to the TBUF block
+
+- We do not need to forcibly enable EEE upon system resume, as the PHY
+  state machine will trigger a link event that will do that, too
+
+Fixes: 6ef398ea60d9 ("net: bcmgenet: add EEE support")
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://lore.kernel.org/r/20230606214348.2408018-1-florian.fainelli@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c |   22 ++++++++--------------
+ drivers/net/ethernet/broadcom/genet/bcmgenet.h |    3 +++
+ drivers/net/ethernet/broadcom/genet/bcmmii.c   |    6 ++++++
+ 3 files changed, 17 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -1244,7 +1244,8 @@ static void bcmgenet_get_ethtool_stats(s
+       }
+ }
+ 
+-static void bcmgenet_eee_enable_set(struct net_device *dev, bool enable)
++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
++                           bool tx_lpi_enabled)
+ {
+       struct bcmgenet_priv *priv = netdev_priv(dev);
+       u32 off = priv->hw_params->tbuf_offset + TBUF_ENERGY_CTRL;
+@@ -1264,7 +1265,7 @@ static void bcmgenet_eee_enable_set(stru
+ 
+       /* Enable EEE and switch to a 27Mhz clock automatically */
+       reg = bcmgenet_readl(priv->base + off);
+-      if (enable)
++      if (tx_lpi_enabled)
+               reg |= TBUF_EEE_EN | TBUF_PM_EN;
+       else
+               reg &= ~(TBUF_EEE_EN | TBUF_PM_EN);
+@@ -1285,6 +1286,7 @@ static void bcmgenet_eee_enable_set(stru
+ 
+       priv->eee.eee_enabled = enable;
+       priv->eee.eee_active = enable;
++      priv->eee.tx_lpi_enabled = tx_lpi_enabled;
+ }
+ 
+ static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_eee *e)
+@@ -1300,6 +1302,7 @@ static int bcmgenet_get_eee(struct net_d
+ 
+       e->eee_enabled = p->eee_enabled;
+       e->eee_active = p->eee_active;
++      e->tx_lpi_enabled = p->tx_lpi_enabled;
+       e->tx_lpi_timer = bcmgenet_umac_readl(priv, UMAC_EEE_LPI_TIMER);
+ 
+       return phy_ethtool_get_eee(dev->phydev, e);
+@@ -1309,7 +1312,6 @@ static int bcmgenet_set_eee(struct net_d
+ {
+       struct bcmgenet_priv *priv = netdev_priv(dev);
+       struct ethtool_eee *p = &priv->eee;
+-      int ret = 0;
+ 
+       if (GENET_IS_V1(priv))
+               return -EOPNOTSUPP;
+@@ -1320,16 +1322,11 @@ static int bcmgenet_set_eee(struct net_d
+       p->eee_enabled = e->eee_enabled;
+ 
+       if (!p->eee_enabled) {
+-              bcmgenet_eee_enable_set(dev, false);
++              bcmgenet_eee_enable_set(dev, false, false);
+       } else {
+-              ret = phy_init_eee(dev->phydev, 0);
+-              if (ret) {
+-                      netif_err(priv, hw, dev, "EEE initialization failed\n");
+-                      return ret;
+-              }
+-
++              p->eee_active = phy_init_eee(dev->phydev, false) >= 0;
+               bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER);
+-              bcmgenet_eee_enable_set(dev, true);
++              bcmgenet_eee_enable_set(dev, p->eee_active, e->tx_lpi_enabled);
+       }
+ 
+       return phy_ethtool_set_eee(dev->phydev, e);
+@@ -4217,9 +4214,6 @@ static int bcmgenet_resume(struct device
+       if (!device_may_wakeup(d))
+               phy_resume(dev->phydev);
+ 
+-      if (priv->eee.eee_enabled)
+-              bcmgenet_eee_enable_set(dev, true);
+-
+       bcmgenet_netif_start(dev);
+ 
+       netif_device_attach(dev);
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+@@ -756,4 +756,7 @@ int bcmgenet_wol_power_down_cfg(struct b
+ void bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv,
+                              enum bcmgenet_power_mode mode);
+ 
++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
++                           bool tx_lpi_enabled);
++
+ #endif /* __BCMGENET_H__ */
+--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+@@ -25,6 +25,7 @@
+ 
+ #include "bcmgenet.h"
+ 
++
+ /* setup netdev link state when PHY link status change and
+  * update UMAC and RGMII block when link up
+  */
+@@ -102,6 +103,11 @@ void bcmgenet_mii_setup(struct net_devic
+                       reg |= CMD_TX_EN | CMD_RX_EN;
+               }
+               bcmgenet_umac_writel(priv, reg, UMAC_CMD);
++
++              priv->eee.eee_active = phy_init_eee(phydev, 0) >= 0;
++              bcmgenet_eee_enable_set(dev,
++                                      priv->eee.eee_enabled && priv->eee.eee_active,
++                                      priv->eee.tx_lpi_enabled);
+       } else {
+               /* done if nothing has changed */
+               if (!status_changed)

diff --git a/queue-5.10/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch b/queue-5.10/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch
new file mode 100644 (file)
index 0000000..a19d0f7
--- /dev/null
+++ b/queue-5.10/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch
@@ -0,0 +1,83 @@
+From c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 3 Nov 2023 09:42:51 +0300
+Subject: netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 upstream.
+
+The problem is in nft_byteorder_eval() where we are iterating through a
+loop and writing to dst[0], dst[1], dst[2] and so on...  On each
+iteration we are writing 8 bytes.  But dst[] is an array of u32 so each
+element only has space for 4 bytes.  That means that every iteration
+overwrites part of the previous element.
+
+I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter:
+nf_tables: prevent OOB access in nft_byteorder_eval") which is a related
+issue.  I think that the reason we have not detected this bug in testing
+is that most of time we only write one element.
+
+Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[Ajay: Modified to apply on v5.10.y]
+Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nf_tables.h |    4 ++--
+ net/netfilter/nft_byteorder.c     |    5 +++--
+ net/netfilter/nft_meta.c          |    2 +-
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -142,9 +142,9 @@ static inline u16 nft_reg_load16(const u
+       return *(u16 *)sreg;
+ }
+ 
+-static inline void nft_reg_store64(u32 *dreg, u64 val)
++static inline void nft_reg_store64(u64 *dreg, u64 val)
+ {
+-      put_unaligned(val, (u64 *)dreg);
++      put_unaligned(val, dreg);
+ }
+ 
+ static inline u64 nft_reg_load64(const u32 *sreg)
+--- a/net/netfilter/nft_byteorder.c
++++ b/net/netfilter/nft_byteorder.c
+@@ -38,20 +38,21 @@ void nft_byteorder_eval(const struct nft
+ 
+       switch (priv->size) {
+       case 8: {
++              u64 *dst64 = (void *)dst;
+               u64 src64;
+ 
+               switch (priv->op) {
+               case NFT_BYTEORDER_NTOH:
+                       for (i = 0; i < priv->len / 8; i++) {
+                               src64 = nft_reg_load64(&src[i]);
+-                              nft_reg_store64(&dst[i], be64_to_cpu(src64));
++                              nft_reg_store64(&dst64[i], be64_to_cpu(src64));
+                       }
+                       break;
+               case NFT_BYTEORDER_HTON:
+                       for (i = 0; i < priv->len / 8; i++) {
+                               src64 = (__force __u64)
+                                       cpu_to_be64(nft_reg_load64(&src[i]));
+-                              nft_reg_store64(&dst[i], src64);
++                              nft_reg_store64(&dst64[i], src64);
+                       }
+                       break;
+               }
+--- a/net/netfilter/nft_meta.c
++++ b/net/netfilter/nft_meta.c
+@@ -63,7 +63,7 @@ nft_meta_get_eval_time(enum nft_meta_key
+ {
+       switch (key) {
+       case NFT_META_TIME_NS:
+-              nft_reg_store64(dest, ktime_get_real_ns());
++              nft_reg_store64((u64 *)dest, ktime_get_real_ns());
+               break;
+       case NFT_META_TIME_DAY:
+               nft_reg_store8(dest, nft_meta_weekday());

diff --git a/queue-5.10/series b/queue-5.10/series
index 18615de74f2fe20b262d35c9c8940d1a26a9fb79..7931558976ffb1cf33b28c1f441f559ba71bee40 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -98,7 +98,6 @@ spi-bcm-qspi-fix-sfdp-bfpt-read-by-usig-mspi-read.patch
 mips-call-lose_fpu-0-before-initializing-fcr31-in-mips_set_personality_nan.patch
 tick-sched-preserve-number-of-idle-sleeps-across-cpu-hotplug-events.patch
 x86-entry-ia32-ensure-s32-is-sign-extended-to-s64.patch
-cifs-fix-off-by-one-in-smb2_query_info_init.patch
 powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch
 drivers-perf-pmuv3-don-t-expose-sw_incr-event-in-sys.patch
 powerpc-fix-build-error-due-to-is_valid_bugaddr.patch
@@ -376,3 +375,5 @@ dm-limit-the-number-of-targets-and-parameter-size-area.patch
 pm-runtime-add-devm_pm_runtime_enable-helper.patch
 pm-runtime-have-devm_pm_runtime_enable-handle-pm_runtime_dont_use_autosuspend.patch
 drm-msm-dsi-enable-runtime-pm.patch
+netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch
+net-bcmgenet-fix-eee-implementation.patch