--- /dev/null
+From ca43ccf41224b023fc290073d5603a755fd12eed Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Thu, 9 Feb 2023 16:22:01 -0800
+Subject: dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit ca43ccf41224b023fc290073d5603a755fd12eed upstream.
+
+Eric Dumazet pointed out [0] that when we call skb_set_owner_r()
+for ipv6_pinfo.pktoptions, sk_rmem_schedule() has not been called,
+resulting in a negative sk_forward_alloc.
+
+We add a new helper which clones a skb and sets its owner only
+when sk_rmem_schedule() succeeds.
+
+Note that we move skb_set_owner_r() forward in (dccp|tcp)_v6_do_rcv()
+because tcp_send_synack() can make sk_forward_alloc negative before
+ipv6_opt_accepted() in the crossed SYN-ACK or self-connect() cases.
+
+[0]: https://lore.kernel.org/netdev/CANn89iK9oc20Jdi_41jb9URdF210r7d1Y-+uypbMSbOfY6jqrg@mail.gmail.com/
+
+Fixes: 323fbd0edf3f ("net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()")
+Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 13 +++++++++++++
+ net/dccp/ipv6.c | 7 ++-----
+ net/ipv6/tcp_ipv6.c | 10 +++-------
+ 3 files changed, 18 insertions(+), 12 deletions(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2049,6 +2049,19 @@ static inline void skb_set_owner_r(struc
+ sk_mem_charge(sk, skb->truesize);
+ }
+
++static inline struct sk_buff *skb_clone_and_charge_r(struct sk_buff *skb, struct sock *sk)
++{
++ skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
++ if (skb) {
++ if (sk_rmem_schedule(sk, skb, skb->truesize)) {
++ skb_set_owner_r(skb, sk);
++ return skb;
++ }
++ __kfree_skb(skb);
++ }
++ return NULL;
++}
++
+ void sk_reset_timer(struct sock *sk, struct timer_list *timer,
+ unsigned long expires);
+
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -541,11 +541,9 @@ static struct sock *dccp_v6_request_recv
+ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL);
+ /* Clone pktoptions received with SYN, if we own the req */
+ if (*own_req && ireq->pktopts) {
+- newnp->pktoptions = skb_clone(ireq->pktopts, GFP_ATOMIC);
++ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk);
+ consume_skb(ireq->pktopts);
+ ireq->pktopts = NULL;
+- if (newnp->pktoptions)
+- skb_set_owner_r(newnp->pktoptions, newsk);
+ }
+
+ return newsk;
+@@ -605,7 +603,7 @@ static int dccp_v6_do_rcv(struct sock *s
+ --ANK (980728)
+ */
+ if (np->rxopt.all)
+- opt_skb = skb_clone(skb, GFP_ATOMIC);
++ opt_skb = skb_clone_and_charge_r(skb, sk);
+
+ if (sk->sk_state == DCCP_OPEN) { /* Fast path */
+ if (dccp_rcv_established(sk, skb, dccp_hdr(skb), skb->len))
+@@ -669,7 +667,6 @@ ipv6_pktoptions:
+ np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
+ if (ipv6_opt_accepted(sk, opt_skb,
+ &DCCP_SKB_CB(opt_skb)->header.h6)) {
+- skb_set_owner_r(opt_skb, sk);
+ memmove(IP6CB(opt_skb),
+ &DCCP_SKB_CB(opt_skb)->header.h6,
+ sizeof(struct inet6_skb_parm));
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1242,14 +1242,11 @@ static struct sock *tcp_v6_syn_recv_sock
+
+ /* Clone pktoptions received with SYN, if we own the req */
+ if (ireq->pktopts) {
+- newnp->pktoptions = skb_clone(ireq->pktopts,
+- sk_gfp_mask(sk, GFP_ATOMIC));
++ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk);
+ consume_skb(ireq->pktopts);
+ ireq->pktopts = NULL;
+- if (newnp->pktoptions) {
++ if (newnp->pktoptions)
+ tcp_v6_restore_cb(newnp->pktoptions);
+- skb_set_owner_r(newnp->pktoptions, newsk);
+- }
+ }
+ } else {
+ if (!req_unhash && found_dup_sk) {
+@@ -1317,7 +1314,7 @@ static int tcp_v6_do_rcv(struct sock *sk
+ --ANK (980728)
+ */
+ if (np->rxopt.all)
+- opt_skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
++ opt_skb = skb_clone_and_charge_r(skb, sk);
+
+ if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
+ struct dst_entry *dst;
+@@ -1399,7 +1396,6 @@ ipv6_pktoptions:
+ if (np->repflow)
+ np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
+ if (ipv6_opt_accepted(sk, opt_skb, &TCP_SKB_CB(opt_skb)->header.h6)) {
+- skb_set_owner_r(opt_skb, sk);
+ tcp_v6_restore_cb(opt_skb);
+ opt_skb = xchg(&np->pktoptions, opt_skb);
+ } else {
--- /dev/null
+From e010ae08c71fda8be3d6bda256837795a0b3ea41 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Wed, 8 Feb 2023 18:13:59 +0100
+Subject: ipv6: Fix datagram socket connection with DSCP.
+
+From: Guillaume Nault <gnault@redhat.com>
+
+commit e010ae08c71fda8be3d6bda256837795a0b3ea41 upstream.
+
+Take into account the IPV6_TCLASS socket option (DSCP) in
+ip6_datagram_flow_key_init(). Otherwise fib6_rule_match() can't
+properly match the DSCP value, resulting in invalid route lookup.
+
+For example:
+
+ ip route add unreachable table main 2001:db8::10/124
+
+ ip route add table 100 2001:db8::10/124 dev eth0
+ ip -6 rule add dsfield 0x04 table 100
+
+ echo test | socat - UDP6:[2001:db8::11]:54321,ipv6-tclass=0x04
+
+Without this patch, socat fails at connect() time ("No route to host")
+because the fib-rule doesn't jump to table 100 and the lookup ends up
+being done in the main table.
+
+Fixes: 2cc67cc731d9 ("[IPV6] ROUTE: Routing by Traffic Class.")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/datagram.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -53,7 +53,7 @@ static void ip6_datagram_flow_key_init(s
+ fl6->flowi6_mark = sk->sk_mark;
+ fl6->fl6_dport = inet->inet_dport;
+ fl6->fl6_sport = inet->inet_sport;
+- fl6->flowlabel = np->flow_label;
++ fl6->flowlabel = ip6_make_flowinfo(np->tclass, np->flow_label);
+ fl6->flowi6_uid = sk->sk_uid;
+
+ if (!fl6->flowi6_oif)
--- /dev/null
+From 8230680f36fd1525303d1117768c8852314c488c Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Wed, 8 Feb 2023 18:14:03 +0100
+Subject: ipv6: Fix tcp socket connection with DSCP.
+
+From: Guillaume Nault <gnault@redhat.com>
+
+commit 8230680f36fd1525303d1117768c8852314c488c upstream.
+
+Take into account the IPV6_TCLASS socket option (DSCP) in
+tcp_v6_connect(). Otherwise fib6_rule_match() can't properly
+match the DSCP value, resulting in invalid route lookup.
+
+For example:
+
+ ip route add unreachable table main 2001:db8::10/124
+
+ ip route add table 100 2001:db8::10/124 dev eth0
+ ip -6 rule add dsfield 0x04 table 100
+
+ echo test | socat - TCP6:[2001:db8::11]:54321,ipv6-tclass=0x04
+
+Without this patch, socat fails at connect() time ("No route to host")
+because the fib-rule doesn't jump to table 100 and the lookup ends up
+being done in the main table.
+
+Fixes: 2cc67cc731d9 ("[IPV6] ROUTE: Routing by Traffic Class.")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/tcp_ipv6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -241,6 +241,7 @@ static int tcp_v6_connect(struct sock *s
+ fl6.flowi6_proto = IPPROTO_TCP;
+ fl6.daddr = sk->sk_v6_daddr;
+ fl6.saddr = saddr ? *saddr : np->saddr;
++ fl6.flowlabel = ip6_make_flowinfo(np->tclass, np->flow_label);
+ fl6.flowi6_oif = sk->sk_bound_dev_if;
+ fl6.flowi6_mark = sk->sk_mark;
+ fl6.fl6_dport = usin->sin6_port;
--- /dev/null
+From fda6c89fe3d9aca073495a664e1d5aea28cd4377 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 13 Feb 2023 22:53:55 -0800
+Subject: net: mpls: fix stale pointer if allocation fails during device rename
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit fda6c89fe3d9aca073495a664e1d5aea28cd4377 upstream.
+
+lianhui reports that when MPLS fails to register the sysctl table
+under new location (during device rename) the old pointers won't
+get overwritten and may be freed again (double free).
+
+Handle this gracefully. The best option would be unregistering
+the MPLS from the device completely on failure, but unfortunately
+mpls_ifdown() can fail. So failing fully is also unreliable.
+
+Another option is to register the new table first then only
+remove old one if the new one succeeds. That requires more
+code, changes order of notifications and two tables may be
+visible at the same time.
+
+sysctl point is not used in the rest of the code - set to NULL
+on failures and skip unregister if already NULL.
+
+Reported-by: lianhui tang <bluetlh@gmail.com>
+Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mpls/af_mpls.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -1344,6 +1344,7 @@ static int mpls_dev_sysctl_register(stru
+ free:
+ kfree(table);
+ out:
++ mdev->sysctl = NULL;
+ return -ENOBUFS;
+ }
+
+@@ -1353,6 +1354,9 @@ static void mpls_dev_sysctl_unregister(s
+ struct net *net = dev_net(dev);
+ struct ctl_table *table;
+
++ if (!mdev->sysctl)
++ return;
++
+ table = mdev->sysctl->ctl_table_arg;
+ unregister_net_sysctl_table(mdev->sysctl);
+ kfree(table);
--- /dev/null
+From 05d7623a892a9da62da0e714428e38f09e4a64d8 Mon Sep 17 00:00:00 2001
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Date: Fri, 10 Feb 2023 22:21:26 +0200
+Subject: net: stmmac: Restrict warning on disabling DMA store and fwd mode
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+commit 05d7623a892a9da62da0e714428e38f09e4a64d8 upstream.
+
+When setting 'snps,force_thresh_dma_mode' DT property, the following
+warning is always emitted, regardless the status of force_sf_dma_mode:
+
+dwmac-starfive 10020000.ethernet: force_sf_dma_mode is ignored if force_thresh_dma_mode is set.
+
+Do not print the rather misleading message when DMA store and forward
+mode is already disabled.
+
+Fixes: e2a240c7d3bc ("driver:net:stmmac: Disable DMA store and forward mode if platform data force_thresh_dma_mode is set.")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Link: https://lore.kernel.org/r/20230210202126.877548-1-cristian.ciocaltea@collabora.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+@@ -500,7 +500,7 @@ stmmac_probe_config_dt(struct platform_d
+ dma_cfg->mixed_burst = of_property_read_bool(np, "snps,mixed-burst");
+
+ plat->force_thresh_dma_mode = of_property_read_bool(np, "snps,force_thresh_dma_mode");
+- if (plat->force_thresh_dma_mode) {
++ if (plat->force_thresh_dma_mode && plat->force_sf_dma_mode) {
+ plat->force_sf_dma_mode = 0;
+ pr_warn("force_sf_dma_mode is ignored if force_thresh_dma_mode is set.");
+ }
--- /dev/null
+From c68f345b7c425b38656e1791a0486769a8797016 Mon Sep 17 00:00:00 2001
+From: Miko Larsson <mikoxyzzz@gmail.com>
+Date: Fri, 10 Feb 2023 09:13:44 +0100
+Subject: net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path
+
+From: Miko Larsson <mikoxyzzz@gmail.com>
+
+commit c68f345b7c425b38656e1791a0486769a8797016 upstream.
+
+syzbot reported that act_len in kalmia_send_init_packet() is
+uninitialized when passing it to the first usb_bulk_msg error path. Jiri
+Pirko noted that it's pointless to pass it in the error path, and that
+the value that would be printed in the second error path would be the
+value of act_len from the first call to usb_bulk_msg.[1]
+
+With this in mind, let's just not pass act_len to the usb_bulk_msg error
+paths.
+
+1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/
+
+Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730")
+Reported-and-tested-by: syzbot+cd80c5ef5121bfe85b55@syzkaller.appspotmail.com
+Signed-off-by: Miko Larsson <mikoxyzzz@gmail.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/kalmia.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/usb/kalmia.c
++++ b/drivers/net/usb/kalmia.c
+@@ -69,8 +69,8 @@ kalmia_send_init_packet(struct usbnet *d
+ init_msg, init_msg_len, &act_len, KALMIA_USB_TIMEOUT);
+ if (status != 0) {
+ netdev_err(dev->net,
+- "Error sending init packet. Status %i, length %i\n",
+- status, act_len);
++ "Error sending init packet. Status %i\n",
++ status);
+ return status;
+ }
+ else if (act_len != init_msg_len) {
+@@ -87,8 +87,8 @@ kalmia_send_init_packet(struct usbnet *d
+
+ if (status != 0)
+ netdev_err(dev->net,
+- "Error receiving init result. Status %i, length %i\n",
+- status, act_len);
++ "Error receiving init result. Status %i\n",
++ status);
+ else if (act_len != expected_len)
+ netdev_err(dev->net, "Unexpected init result length: %i\n",
+ act_len);
revert-squashfs-harden-sanity-check-in-squashfs_read_xattr_id_table.patch
i40e-add-double-of-vlan-header-when-computing-the-max-mtu.patch
net-bgmac-fix-bcm5358-support-by-setting-correct-flags.patch
+dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch
+net-usb-kalmia-don-t-pass-act_len-in-usb_bulk_msg-error-path.patch
+net-stmmac-restrict-warning-on-disabling-dma-store-and-fwd-mode.patch
+net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch
+ipv6-fix-datagram-socket-connection-with-dscp.patch
+ipv6-fix-tcp-socket-connection-with-dscp.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
