--- /dev/null
+From 4a37f3dd9a83186cb88d44808ab35b78375082c9 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Fri, 20 May 2022 18:10:13 +0100
+Subject: dma-direct: don't over-decrypt memory
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 4a37f3dd9a83186cb88d44808ab35b78375082c9 upstream.
+
+The original x86 sev_alloc() only called set_memory_decrypted() on
+memory returned by alloc_pages_node(), so the page order calculation
+fell out of that logic. However, the common dma-direct code has several
+potential allocators, not all of which are guaranteed to round up the
+underlying allocation to a power-of-two size, so carrying over that
+calculation for the encryption/decryption size was a mistake. Fix it by
+rounding to a *number* of pages, rather than an order.
+
+Until recently there was an even worse interaction with DMA_DIRECT_REMAP
+where we could have ended up decrypting part of the next adjacent
+vmalloc area, only averted by no architecture actually supporting both
+configs at once. Don't ask how I found that one out...
+
+Fixes: c10f07aa27da ("dma/direct: Handle force decryption for DMA coherent buffers in common code")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: David Rientjes <rientjes@google.com>
+[ backport the functional change without all the prior refactoring ]
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/dma/direct.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+--- a/kernel/dma/direct.c
++++ b/kernel/dma/direct.c
+@@ -188,7 +188,7 @@ void *dma_direct_alloc(struct device *de
+ goto out_free_pages;
+ if (force_dma_unencrypted(dev)) {
+ err = set_memory_decrypted((unsigned long)ret,
+- 1 << get_order(size));
++ PFN_UP(size));
+ if (err)
+ goto out_free_pages;
+ }
+@@ -210,7 +210,7 @@ void *dma_direct_alloc(struct device *de
+ ret = page_address(page);
+ if (force_dma_unencrypted(dev)) {
+ err = set_memory_decrypted((unsigned long)ret,
+- 1 << get_order(size));
++ PFN_UP(size));
+ if (err)
+ goto out_free_pages;
+ }
+@@ -231,7 +231,7 @@ done:
+ out_encrypt_pages:
+ if (force_dma_unencrypted(dev)) {
+ err = set_memory_encrypted((unsigned long)page_address(page),
+- 1 << get_order(size));
++ PFN_UP(size));
+ /* If memory cannot be re-encrypted, it must be leaked */
+ if (err)
+ return NULL;
+@@ -244,8 +244,6 @@ out_free_pages:
+ void dma_direct_free(struct device *dev, size_t size,
+ void *cpu_addr, dma_addr_t dma_addr, unsigned long attrs)
+ {
+- unsigned int page_order = get_order(size);
+-
+ if ((attrs & DMA_ATTR_NO_KERNEL_MAPPING) &&
+ !force_dma_unencrypted(dev)) {
+ /* cpu_addr is a struct page cookie, not a kernel address */
+@@ -266,7 +264,7 @@ void dma_direct_free(struct device *dev,
+ return;
+
+ if (force_dma_unencrypted(dev))
+- set_memory_encrypted((unsigned long)cpu_addr, 1 << page_order);
++ set_memory_encrypted((unsigned long)cpu_addr, PFN_UP(size));
+
+ if (IS_ENABLED(CONFIG_DMA_REMAP) && is_vmalloc_addr(cpu_addr))
+ vunmap(cpu_addr);
+@@ -302,8 +300,7 @@ struct page *dma_direct_alloc_pages(stru
+
+ ret = page_address(page);
+ if (force_dma_unencrypted(dev)) {
+- if (set_memory_decrypted((unsigned long)ret,
+- 1 << get_order(size)))
++ if (set_memory_decrypted((unsigned long)ret, PFN_UP(size)))
+ goto out_free_pages;
+ }
+ memset(ret, 0, size);
+@@ -318,7 +315,6 @@ void dma_direct_free_pages(struct device
+ struct page *page, dma_addr_t dma_addr,
+ enum dma_data_direction dir)
+ {
+- unsigned int page_order = get_order(size);
+ void *vaddr = page_address(page);
+
+ /* If cpu_addr is not from an atomic pool, dma_free_from_pool() fails */
+@@ -327,7 +323,7 @@ void dma_direct_free_pages(struct device
+ return;
+
+ if (force_dma_unencrypted(dev))
+- set_memory_encrypted((unsigned long)vaddr, 1 << page_order);
++ set_memory_encrypted((unsigned long)vaddr, PFN_UP(size));
+
+ dma_free_contiguous(dev, page, size);
+ }
--- /dev/null
+From 1b5d73fb862414106cf270a1a7300ce8ae77de83 Mon Sep 17 00:00:00 2001
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Date: Mon, 26 Jul 2021 20:36:56 -0700
+Subject: igc: Enable PCIe PTM
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+commit 1b5d73fb862414106cf270a1a7300ce8ae77de83 upstream.
+
+Enables PCIe PTM (Precision Time Measurement) support in the igc
+driver. Notifies the PCI devices that PCIe PTM should be enabled.
+
+PCIe PTM is similar protocol to PTP (Precision Time Protocol) running
+in the PCIe fabric, it allows devices to report time measurements from
+their internal clocks and the correlation with the PCIe root clock.
+
+The i225 NIC exposes some registers that expose those time
+measurements, those registers will be used, in later patches, to
+implement the PTP_SYS_OFFSET_PRECISE ioctl().
+
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Meng Tang <tangmeng@uniontech.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -9,6 +9,7 @@
+ #include <linux/udp.h>
+ #include <linux/ip.h>
+ #include <linux/pm_runtime.h>
++#include <linux/pci.h>
+ #include <net/pkt_sched.h>
+
+ #include <net/ipv6.h>
+@@ -5041,6 +5042,10 @@ static int igc_probe(struct pci_dev *pde
+
+ pci_enable_pcie_error_reporting(pdev);
+
++ err = pci_enable_ptm(pdev, NULL);
++ if (err < 0)
++ dev_info(&pdev->dev, "PCIe PTM not supported by PCIe bus/controller\n");
++
+ pci_set_master(pdev);
+
+ err = -ENOMEM;
--- /dev/null
+From 2061ecfdf2350994e5b61c43e50e98a7a70e95ee Mon Sep 17 00:00:00 2001
+From: Ilya Maximets <i.maximets@ovn.org>
+Date: Tue, 7 Jun 2022 00:11:40 +0200
+Subject: net: openvswitch: fix misuse of the cached connection on tuple changes
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+commit 2061ecfdf2350994e5b61c43e50e98a7a70e95ee upstream.
+
+If packet headers changed, the cached nfct is no longer relevant
+for the packet and attempt to re-use it leads to the incorrect packet
+classification.
+
+This issue is causing broken connectivity in OpenStack deployments
+with OVS/OVN due to hairpin traffic being unexpectedly dropped.
+
+The setup has datapath flows with several conntrack actions and tuple
+changes between them:
+
+ actions:ct(commit,zone=8,mark=0/0x1,nat(src)),
+ set(eth(src=00:00:00:00:00:01,dst=00:00:00:00:00:06)),
+ set(ipv4(src=172.18.2.10,dst=192.168.100.6,ttl=62)),
+ ct(zone=8),recirc(0x4)
+
+After the first ct() action the packet headers are almost fully
+re-written. The next ct() tries to re-use the existing nfct entry
+and marks the packet as invalid, so it gets dropped later in the
+pipeline.
+
+Clearing the cached conntrack entry whenever packet tuple is changed
+to avoid the issue.
+
+The flow key should not be cleared though, because we should still
+be able to match on the ct_state if the recirculation happens after
+the tuple change but before the next ct() action.
+
+Cc: stable@vger.kernel.org
+Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
+Reported-by: Frode Nordahl <frode.nordahl@canonical.com>
+Link: https://mail.openvswitch.org/pipermail/ovs-discuss/2022-May/051829.html
+Link: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967856
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Link: https://lore.kernel.org/r/20220606221140.488984-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[Backport to 5.10: minor rebase in ovs_ct_clear function.
+ This version also applicable to and tested on 5.4 and 4.19.]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/actions.c | 6 ++++++
+ net/openvswitch/conntrack.c | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -372,6 +372,7 @@ static void set_ip_addr(struct sk_buff *
+ update_ip_l4_checksum(skb, nh, *addr, new_addr);
+ csum_replace4(&nh->check, *addr, new_addr);
+ skb_clear_hash(skb);
++ ovs_ct_clear(skb, NULL);
+ *addr = new_addr;
+ }
+
+@@ -419,6 +420,7 @@ static void set_ipv6_addr(struct sk_buff
+ update_ipv6_checksum(skb, l4_proto, addr, new_addr);
+
+ skb_clear_hash(skb);
++ ovs_ct_clear(skb, NULL);
+ memcpy(addr, new_addr, sizeof(__be32[4]));
+ }
+
+@@ -659,6 +661,7 @@ static int set_nsh(struct sk_buff *skb,
+ static void set_tp_port(struct sk_buff *skb, __be16 *port,
+ __be16 new_port, __sum16 *check)
+ {
++ ovs_ct_clear(skb, NULL);
+ inet_proto_csum_replace2(check, skb, *port, new_port, false);
+ *port = new_port;
+ }
+@@ -698,6 +701,7 @@ static int set_udp(struct sk_buff *skb,
+ uh->dest = dst;
+ flow_key->tp.src = src;
+ flow_key->tp.dst = dst;
++ ovs_ct_clear(skb, NULL);
+ }
+
+ skb_clear_hash(skb);
+@@ -760,6 +764,8 @@ static int set_sctp(struct sk_buff *skb,
+ sh->checksum = old_csum ^ old_correct_csum ^ new_csum;
+
+ skb_clear_hash(skb);
++ ovs_ct_clear(skb, NULL);
++
+ flow_key->tp.src = sh->source;
+ flow_key->tp.dst = sh->dest;
+
+--- a/net/openvswitch/conntrack.c
++++ b/net/openvswitch/conntrack.c
+@@ -1324,7 +1324,8 @@ int ovs_ct_clear(struct sk_buff *skb, st
+ if (skb_nfct(skb)) {
+ nf_conntrack_put(skb_nfct(skb));
+ nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
+- ovs_ct_fill_key(skb, key);
++ if (key)
++ ovs_ct_fill_key(skb, key);
+ }
+
+ return 0;
--- /dev/null
+From 4ddc844eb81da59bfb816d8d52089aba4e59e269 Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Thu, 10 Feb 2022 18:56:08 +0100
+Subject: net/sched: act_police: more accurate MTU policing
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+commit 4ddc844eb81da59bfb816d8d52089aba4e59e269 upstream.
+
+in current Linux, MTU policing does not take into account that packets at
+the TC ingress have the L2 header pulled. Thus, the same TC police action
+(with the same value of tcfp_mtu) behaves differently for ingress/egress.
+In addition, the full GSO size is compared to tcfp_mtu: as a consequence,
+the policer drops GSO packets even when individual segments have the L2 +
+L3 + L4 + payload length below the configured valued of tcfp_mtu.
+
+Improve the accuracy of MTU policing as follows:
+ - account for mac_len for non-GSO packets at TC ingress.
+ - compare MTU threshold with the segmented size for GSO packets.
+Also, add a kselftest that verifies the correct behavior.
+
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[dcaratti: fix conflicts due to lack of the following commits:
+ - commit 2ffe0395288a ("net/sched: act_police: add support for
+ packet-per-second policing")
+ - commit 53b61f29367d ("selftests: forwarding: Add tc-police tests for
+ packets per second")]
+Link: https://lore.kernel.org/netdev/876d597a0ff55f6ba786f73c5a9fd9eb8d597a03.1644514748.git.dcaratti@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_police.c | 16 +++++-
+ tools/testing/selftests/net/forwarding/tc_police.sh | 52 ++++++++++++++++++++
+ 2 files changed, 67 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_police.c
++++ b/net/sched/act_police.c
+@@ -213,6 +213,20 @@ release_idr:
+ return err;
+ }
+
++static bool tcf_police_mtu_check(struct sk_buff *skb, u32 limit)
++{
++ u32 len;
++
++ if (skb_is_gso(skb))
++ return skb_gso_validate_mac_len(skb, limit);
++
++ len = qdisc_pkt_len(skb);
++ if (skb_at_tc_ingress(skb))
++ len += skb->mac_len;
++
++ return len <= limit;
++}
++
+ static int tcf_police_act(struct sk_buff *skb, const struct tc_action *a,
+ struct tcf_result *res)
+ {
+@@ -235,7 +249,7 @@ static int tcf_police_act(struct sk_buff
+ goto inc_overlimits;
+ }
+
+- if (qdisc_pkt_len(skb) <= p->tcfp_mtu) {
++ if (tcf_police_mtu_check(skb, p->tcfp_mtu)) {
+ if (!p->rate_present) {
+ ret = p->tcfp_result;
+ goto end;
+--- a/tools/testing/selftests/net/forwarding/tc_police.sh
++++ b/tools/testing/selftests/net/forwarding/tc_police.sh
+@@ -35,6 +35,8 @@ ALL_TESTS="
+ police_shared_test
+ police_rx_mirror_test
+ police_tx_mirror_test
++ police_mtu_rx_test
++ police_mtu_tx_test
+ "
+ NUM_NETIFS=6
+ source tc_common.sh
+@@ -290,6 +292,56 @@ police_tx_mirror_test()
+ police_mirror_common_test $rp2 egress "police tx and mirror"
+ }
+
++police_mtu_common_test() {
++ RET=0
++
++ local test_name=$1; shift
++ local dev=$1; shift
++ local direction=$1; shift
++
++ tc filter add dev $dev $direction protocol ip pref 1 handle 101 flower \
++ dst_ip 198.51.100.1 ip_proto udp dst_port 54321 \
++ action police mtu 1042 conform-exceed drop/ok
++
++ # to count "conform" packets
++ tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
++ dst_ip 198.51.100.1 ip_proto udp dst_port 54321 \
++ action drop
++
++ mausezahn $h1 -a own -b $(mac_get $rp1) -A 192.0.2.1 -B 198.51.100.1 \
++ -t udp sp=12345,dp=54321 -p 1001 -c 10 -q
++
++ mausezahn $h1 -a own -b $(mac_get $rp1) -A 192.0.2.1 -B 198.51.100.1 \
++ -t udp sp=12345,dp=54321 -p 1000 -c 3 -q
++
++ tc_check_packets "dev $dev $direction" 101 13
++ check_err $? "wrong packet counter"
++
++ # "exceed" packets
++ local overlimits_t0=$(tc_rule_stats_get ${dev} 1 ${direction} .overlimits)
++ test ${overlimits_t0} = 10
++ check_err $? "wrong overlimits, expected 10 got ${overlimits_t0}"
++
++ # "conform" packets
++ tc_check_packets "dev $h2 ingress" 101 3
++ check_err $? "forwarding error"
++
++ tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
++ tc filter del dev $dev $direction protocol ip pref 1 handle 101 flower
++
++ log_test "$test_name"
++}
++
++police_mtu_rx_test()
++{
++ police_mtu_common_test "police mtu (rx)" $rp1 ingress
++}
++
++police_mtu_tx_test()
++{
++ police_mtu_common_test "police mtu (tx)" $rp2 egress
++}
++
+ setup_prepare()
+ {
+ h1=${NETIFS[p1]}
--- /dev/null
+From 1d71eb53e45187f58089d32b51e27784c791d90e Mon Sep 17 00:00:00 2001
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Date: Mon, 26 Jul 2021 20:36:54 -0700
+Subject: Revert "PCI: Make pci_enable_ptm() private"
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+commit 1d71eb53e45187f58089d32b51e27784c791d90e upstream.
+
+Make pci_enable_ptm() accessible from the drivers.
+
+Exposing this to the driver enables the driver to use the
+'ptm_enabled' field of 'pci_dev' to check if PTM is enabled or not.
+
+This reverts commit ac6c26da29c1 ("PCI: Make pci_enable_ptm() private").
+
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Meng Tang <tangmeng@uniontech.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci.h | 3 ---
+ include/linux/pci.h | 7 +++++++
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/pci.h
++++ b/drivers/pci/pci.h
+@@ -585,11 +585,8 @@ static inline void pcie_ecrc_get_policy(
+
+ #ifdef CONFIG_PCIE_PTM
+ void pci_ptm_init(struct pci_dev *dev);
+-int pci_enable_ptm(struct pci_dev *dev, u8 *granularity);
+ #else
+ static inline void pci_ptm_init(struct pci_dev *dev) { }
+-static inline int pci_enable_ptm(struct pci_dev *dev, u8 *granularity)
+-{ return -EINVAL; }
+ #endif
+
+ struct pci_dev_reset_methods {
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -1599,6 +1599,13 @@ static inline bool pci_aer_available(voi
+
+ bool pci_ats_disabled(void);
+
++#ifdef CONFIG_PCIE_PTM
++int pci_enable_ptm(struct pci_dev *dev, u8 *granularity);
++#else
++static inline int pci_enable_ptm(struct pci_dev *dev, u8 *granularity)
++{ return -EINVAL; }
++#endif
++
+ void pci_cfg_access_lock(struct pci_dev *dev);
+ bool pci_cfg_access_trylock(struct pci_dev *dev);
+ void pci_cfg_access_unlock(struct pci_dev *dev);
kvm-svm-use-kzalloc-for-sev-ioctl-interfaces-to-prevent-kernel-data-leak.patch
alsa-hda-realtek-fix-right-sounds-and-mute-micmute-leds-for-hp-machine.patch
virtio-pci-remove-wrong-address-verification-in-vp_del_vqs.patch
+dma-direct-don-t-over-decrypt-memory.patch
+net-sched-act_police-more-accurate-mtu-policing.patch
+net-openvswitch-fix-misuse-of-the-cached-connection-on-tuple-changes.patch
+revert-pci-make-pci_enable_ptm-private.patch
+igc-enable-pcie-ptm.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
