From: Sasha Levin Date: Sun, 28 Apr 2024 11:06:25 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v6.1.89~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d38a8dbcb48aba44a2c102a8e539fb3ddcccecc;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/arc-plat-hsdk-remove-misplaced-interrupt-cells-prope.patch b/queue-4.19/arc-plat-hsdk-remove-misplaced-interrupt-cells-prope.patch new file mode 100644 index 00000000000..a19066903fd --- /dev/null +++ b/queue-4.19/arc-plat-hsdk-remove-misplaced-interrupt-cells-prope.patch @@ -0,0 +1,44 @@ +From 6a8de536c304848f60be91698987a92bac642d85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 10:36:50 +0000 +Subject: ARC: [plat-hsdk]: Remove misplaced interrupt-cells property + +From: Alexey Brodkin + +[ Upstream commit 61231eb8113ce47991f35024f9c20810b37996bf ] + +"gmac" node stands for just an ordinary Ethernet controller, +which is by no means a provider of interrupts, i.e. it doesn't serve +as an interrupt controller, thus "#interrupt-cells" property doesn't +belong to it and so we remove it. + +Fixes: +------------>8------------ + DTC arch/arc/boot/dts/hsdk.dtb +arch/arc/boot/dts/hsdk.dts:207.23-235.5: Warning (interrupt_provider): /soc/ethernet@8000: '#interrupt-cells' found, but node is not an interrupt provider +arch/arc/boot/dts/hsdk.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider' +------------>8------------ + +Reported-by: Vineet Gupta +Signed-off-by: Alexey Brodkin +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/boot/dts/hsdk.dts | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arc/boot/dts/hsdk.dts b/arch/arc/boot/dts/hsdk.dts +index f6b6e3c9ca8aa..40a6681bae8a5 100644 +--- a/arch/arc/boot/dts/hsdk.dts ++++ b/arch/arc/boot/dts/hsdk.dts +@@ -170,7 +170,6 @@ + }; + + gmac: ethernet@8000 { +- #interrupt-cells = <1>; + compatible = "snps,dwmac"; + reg = <0x8000 0x2000>; + interrupts = <10>; +-- +2.43.0 + diff --git a/queue-4.19/arm64-dts-mediatek-mt7622-drop-reset-names-from-ther.patch b/queue-4.19/arm64-dts-mediatek-mt7622-drop-reset-names-from-ther.patch new file mode 100644 index 00000000000..0cb44877527 --- /dev/null +++ b/queue-4.19/arm64-dts-mediatek-mt7622-drop-reset-names-from-ther.patch @@ -0,0 +1,44 @@ +From 9628765c4a0eefa9474ef4a0698691a10395a469 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 23:10:50 +0100 +Subject: arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit ecb5b0034f5bcc35003b4b965cf50c6e98316e79 ] + +Binding doesn't specify "reset-names" property and Linux driver also +doesn't use it. + +Fix following validation error: +arch/arm64/boot/dts/mediatek/mt7622-rfb1.dtb: thermal@1100b000: Unevaluated properties are not allowed ('reset-names' was unexpected) + from schema $id: http://devicetree.org/schemas/thermal/mediatek,thermal.yaml# + +Fixes: ae457b7679c4 ("arm64: dts: mt7622: add SoC and peripheral related device nodes") +Signed-off-by: Rafał Miłecki +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20240317221050.18595-5-zajec5@gmail.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt7622.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt7622.dtsi b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +index 76297dac2d459..f8df34ac1e64d 100644 +--- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +@@ -459,7 +459,6 @@ + <&pericfg CLK_PERI_AUXADC_PD>; + clock-names = "therm", "auxadc"; + resets = <&pericfg MT7622_PERI_THERM_SW_RST>; +- reset-names = "therm"; + mediatek,auxadc = <&auxadc>; + mediatek,apmixedsys = <&apmixedsys>; + nvmem-cells = <&thermal_calibration>; +-- +2.43.0 + diff --git a/queue-4.19/arm64-dts-mediatek-mt7622-fix-ethernet-controller-co.patch b/queue-4.19/arm64-dts-mediatek-mt7622-fix-ethernet-controller-co.patch new file mode 100644 index 00000000000..c4b69294eb7 --- /dev/null +++ b/queue-4.19/arm64-dts-mediatek-mt7622-fix-ethernet-controller-co.patch @@ -0,0 +1,45 @@ +From b6f34784d92ba280c8a4f42e22fee3c41cd09c3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 23:10:49 +0100 +Subject: arm64: dts: mediatek: mt7622: fix ethernet controller "compatible" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 208add29ce5b7291f6c466e4dfd9cbf61c72888e ] + +Fix following validation error: +arch/arm64/boot/dts/mediatek/mt7622-rfb1.dtb: ethernet@1b100000: compatible: ['mediatek,mt7622-eth', 'mediatek,mt2701-eth', 'syscon'] is too long + from schema $id: http://devicetree.org/schemas/net/mediatek,net.yaml# +(and other complains about wrong clocks). + +Fixes: 5f599b3a0bb8 ("arm64: dts: mt7622: add ethernet device nodes") +Signed-off-by: Rafał Miłecki +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20240317221050.18595-4-zajec5@gmail.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt7622.dtsi | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt7622.dtsi b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +index 5c12e9dad9167..76297dac2d459 100644 +--- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +@@ -846,9 +846,7 @@ + }; + + eth: ethernet@1b100000 { +- compatible = "mediatek,mt7622-eth", +- "mediatek,mt2701-eth", +- "syscon"; ++ compatible = "mediatek,mt7622-eth"; + reg = <0 0x1b100000 0 0x20000>; + interrupts = , + , +-- +2.43.0 + diff --git a/queue-4.19/arm64-dts-mediatek-mt7622-fix-ir-nodename.patch b/queue-4.19/arm64-dts-mediatek-mt7622-fix-ir-nodename.patch new file mode 100644 index 00000000000..42e04cb468f --- /dev/null +++ b/queue-4.19/arm64-dts-mediatek-mt7622-fix-ir-nodename.patch @@ -0,0 +1,42 @@ +From 8081c796f1e571052c27f7e0313beb291fc28d83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 23:10:48 +0100 +Subject: arm64: dts: mediatek: mt7622: fix IR nodename +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 800dc93c3941e372c94278bf4059e6e82f60bd66 ] + +Fix following validation error: +arch/arm64/boot/dts/mediatek/mt7622-rfb1.dtb: cir@10009000: $nodename:0: 'cir@10009000' does not match '^ir(-receiver)?(@[a-f0-9]+)?$' + from schema $id: http://devicetree.org/schemas/media/mediatek,mt7622-cir.yaml# + +Fixes: ae457b7679c4 ("arm64: dts: mt7622: add SoC and peripheral related device nodes") +Signed-off-by: Rafał Miłecki +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20240317221050.18595-3-zajec5@gmail.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt7622.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt7622.dtsi b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +index 5cb0470ede723..5c12e9dad9167 100644 +--- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +@@ -232,7 +232,7 @@ + clock-names = "hif_sel"; + }; + +- cir: cir@10009000 { ++ cir: ir-receiver@10009000 { + compatible = "mediatek,mt7622-cir"; + reg = <0 0x10009000 0 0x1000>; + interrupts = ; +-- +2.43.0 + diff --git a/queue-4.19/arm64-dts-rockchip-enable-internal-pull-up-on-pcie_w.patch b/queue-4.19/arm64-dts-rockchip-enable-internal-pull-up-on-pcie_w.patch new file mode 100644 index 00000000000..4aceac9a663 --- /dev/null +++ b/queue-4.19/arm64-dts-rockchip-enable-internal-pull-up-on-pcie_w.patch @@ -0,0 +1,44 @@ +From 9e3f1e17a9cd4ffa0cfe8b798026cdee1d439e57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 16:46:08 +0100 +Subject: arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for + RK3399 Puma + +From: Quentin Schulz + +[ Upstream commit 945a7c8570916650a415757d15d83e0fa856a686 ] + +The PCIE_WAKE# has a diode used as a level-shifter, and is used as an +input pin. While the SoC default is to enable the pull-up, the core +rk3399 pinconf for this pin opted for pull-none. So as to not disturb +the behaviour of other boards which may rely on pull-none instead of +pull-up, set the needed pull-up only for RK3399 Puma. + +Fixes: 60fd9f72ce8a ("arm64: dts: rockchip: add Haikou baseboard with RK3399-Q7 SoM") +Signed-off-by: Quentin Schulz +Link: https://lore.kernel.org/r/20240308-puma-diode-pu-v2-2-309f83da110a@theobroma-systems.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +index b79017c41ce56..1c9b4a9557082 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -426,6 +426,11 @@ + gpio1830-supply = <&vcc_1v8>; + }; + ++&pcie_clkreqn_cpm { ++ rockchip,pins = ++ <2 RK_PD2 RK_FUNC_GPIO &pcfg_pull_up>; ++}; ++ + &pinctrl { + i2c8 { + i2c8_xfer_a: i2c8-xfer { +-- +2.43.0 + diff --git a/queue-4.19/arm64-dts-rockchip-fix-alphabetical-ordering-rk3399-.patch b/queue-4.19/arm64-dts-rockchip-fix-alphabetical-ordering-rk3399-.patch new file mode 100644 index 00000000000..ea2f6e5caa9 --- /dev/null +++ b/queue-4.19/arm64-dts-rockchip-fix-alphabetical-ordering-rk3399-.patch @@ -0,0 +1,62 @@ +From 951a233e34ed26abf98e48a965bf59fef87405b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 09:52:43 +0100 +Subject: arm64: dts: rockchip: fix alphabetical ordering RK3399 puma + +From: Iskander Amara + +[ Upstream commit f0abb4b2c7acf3c3e4130dc3f54cd90cf2ae62bc ] + +Nodes overridden by their reference should be ordered alphabetically to +make it easier to read the DTS. pinctrl node is defined in the wrong +location so let's reorder it. + +Signed-off-by: Iskander Amara +Reviewed-by: Quentin Schulz +Link: https://lore.kernel.org/r/20240308085243.69903-2-iskander.amara@theobroma-systems.com +Signed-off-by: Heiko Stuebner +Stable-dep-of: 945a7c857091 ("arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +index 6750b8100421c..b79017c41ce56 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -426,15 +426,6 @@ + gpio1830-supply = <&vcc_1v8>; + }; + +-&pmu_io_domains { +- status = "okay"; +- pmu1830-supply = <&vcc_1v8>; +-}; +- +-&pwm2 { +- status = "okay"; +-}; +- + &pinctrl { + i2c8 { + i2c8_xfer_a: i2c8-xfer { +@@ -466,6 +457,15 @@ + }; + }; + ++&pmu_io_domains { ++ status = "okay"; ++ pmu1830-supply = <&vcc_1v8>; ++}; ++ ++&pwm2 { ++ status = "okay"; ++}; ++ + &sdhci { + /* + * Signal integrity isn't great at 200MHz but 100MHz has proven stable +-- +2.43.0 + diff --git a/queue-4.19/i40e-do-not-use-wq_mem_reclaim-flag-for-workqueue.patch b/queue-4.19/i40e-do-not-use-wq_mem_reclaim-flag-for-workqueue.patch new file mode 100644 index 00000000000..079d7a89f6c --- /dev/null +++ b/queue-4.19/i40e-do-not-use-wq_mem_reclaim-flag-for-workqueue.patch @@ -0,0 +1,125 @@ +From 831b7f477f86eb60cf82a7b0328240741f49bc8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 11:27:17 -0700 +Subject: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue + +From: Sindhu Devale + +[ Upstream commit 2cc7d150550cc981aceedf008f5459193282425c ] + +Issue reported by customer during SRIOV testing, call trace: +When both i40e and the i40iw driver are loaded, a warning +in check_flush_dependency is being triggered. This seems +to be because of the i40e driver workqueue is allocated with +the WQ_MEM_RECLAIM flag, and the i40iw one is not. + +Similar error was encountered on ice too and it was fixed by +removing the flag. Do the same for i40e too. + +[Feb 9 09:08] ------------[ cut here ]------------ +[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is +flushing !WQ_MEM_RECLAIM infiniband:0x0 +[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966 +check_flush_dependency+0x10b/0x120 +[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq +snd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4 +nls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr +rfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma +intel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif +isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal +intel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core +iTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore +ioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich +intel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad +xfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe +drm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel +libata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror +dm_region_hash dm_log dm_mod fuse +[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not +tainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1 +[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS +SE5C620.86B.02.01.0013.121520200651 12/15/2020 +[ +0.000001] Workqueue: i40e i40e_service_task [i40e] +[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120 +[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48 +81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd +ff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90 +[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282 +[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX: +0000000000000027 +[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI: +ffff94d47f620bc0 +[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09: +00000000ffff7fff +[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12: +ffff94c5451ea180 +[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15: +ffff94c5f1330ab0 +[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000) +knlGS:0000000000000000 +[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4: +00000000007706f0 +[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: +0000000000000400 +[ +0.000001] PKRU: 55555554 +[ +0.000001] Call Trace: +[ +0.000001] +[ +0.000002] ? __warn+0x80/0x130 +[ +0.000003] ? check_flush_dependency+0x10b/0x120 +[ +0.000002] ? report_bug+0x195/0x1a0 +[ +0.000005] ? handle_bug+0x3c/0x70 +[ +0.000003] ? exc_invalid_op+0x14/0x70 +[ +0.000002] ? asm_exc_invalid_op+0x16/0x20 +[ +0.000006] ? check_flush_dependency+0x10b/0x120 +[ +0.000002] ? check_flush_dependency+0x10b/0x120 +[ +0.000002] __flush_workqueue+0x126/0x3f0 +[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core] +[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core] +[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core] +[ +0.000020] i40iw_close+0x4b/0x90 [irdma] +[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e] +[ +0.000035] i40e_service_task+0x126/0x190 [i40e] +[ +0.000024] process_one_work+0x174/0x340 +[ +0.000003] worker_thread+0x27e/0x390 +[ +0.000001] ? __pfx_worker_thread+0x10/0x10 +[ +0.000002] kthread+0xdf/0x110 +[ +0.000002] ? __pfx_kthread+0x10/0x10 +[ +0.000002] ret_from_fork+0x2d/0x50 +[ +0.000003] ? __pfx_kthread+0x10/0x10 +[ +0.000001] ret_from_fork_asm+0x1b/0x30 +[ +0.000004] +[ +0.000001] ---[ end trace 0000000000000000 ]--- + +Fixes: 4d5957cbdecd ("i40e: remove WQ_UNBOUND and the task limit of our workqueue") +Signed-off-by: Sindhu Devale +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Mateusz Polchlopek +Signed-off-by: Aleksandr Loktionov +Tested-by: Robert Ganzynkowicz +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20240423182723.740401-2-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 491e5c776306d..3c9b28b7b5073 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -14728,7 +14728,7 @@ static int __init i40e_init_module(void) + * since we need to be able to guarantee forward progress even under + * memory pressure. + */ +- i40e_wq = alloc_workqueue("%s", WQ_MEM_RECLAIM, 0, i40e_driver_name); ++ i40e_wq = alloc_workqueue("%s", 0, 0, i40e_driver_name); + if (!i40e_wq) { + pr_err("%s: Failed to create workqueue\n", i40e_driver_name); + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-4.19/ipvs-fix-checksumming-on-gso-of-sctp-packets.patch b/queue-4.19/ipvs-fix-checksumming-on-gso-of-sctp-packets.patch new file mode 100644 index 00000000000..1b589e252b4 --- /dev/null +++ b/queue-4.19/ipvs-fix-checksumming-on-gso-of-sctp-packets.patch @@ -0,0 +1,53 @@ +From be7c2be59337debd2f811c16b1f2111737129fcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Apr 2024 16:22:32 +0200 +Subject: ipvs: Fix checksumming on GSO of SCTP packets + +From: Ismael Luceno + +[ Upstream commit e10d3ba4d434ed172914617ed8d74bd411421193 ] + +It was observed in the wild that pairs of consecutive packets would leave +the IPVS with the same wrong checksum, and the issue only went away when +disabling GSO. + +IPVS needs to avoid computing the SCTP checksum when using GSO. + +Fixes: 90017accff61 ("sctp: Add GSO support") +Co-developed-by: Firo Yang +Signed-off-by: Ismael Luceno +Tested-by: Andreas Taschner +Acked-by: Julian Anastasov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_proto_sctp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c +index b0cd7d08f2a7a..18e2e489d0e51 100644 +--- a/net/netfilter/ipvs/ip_vs_proto_sctp.c ++++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c +@@ -123,7 +123,8 @@ sctp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, + if (sctph->source != cp->vport || payload_csum || + skb->ip_summed == CHECKSUM_PARTIAL) { + sctph->source = cp->vport; +- sctp_nat_csum(skb, sctph, sctphoff); ++ if (!skb_is_gso(skb) || !skb_is_gso_sctp(skb)) ++ sctp_nat_csum(skb, sctph, sctphoff); + } else { + skb->ip_summed = CHECKSUM_UNNECESSARY; + } +@@ -171,7 +172,8 @@ sctp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, + (skb->ip_summed == CHECKSUM_PARTIAL && + !(skb_dst(skb)->dev->features & NETIF_F_SCTP_CRC))) { + sctph->dest = cp->dport; +- sctp_nat_csum(skb, sctph, sctphoff); ++ if (!skb_is_gso(skb) || !skb_is_gso_sctp(skb)) ++ sctp_nat_csum(skb, sctph, sctphoff); + } else if (skb->ip_summed != CHECKSUM_PARTIAL) { + skb->ip_summed = CHECKSUM_UNNECESSARY; + } +-- +2.43.0 + diff --git a/queue-4.19/mlxsw-core-unregister-emad-trap-using-forward-action.patch b/queue-4.19/mlxsw-core-unregister-emad-trap-using-forward-action.patch new file mode 100644 index 00000000000..8c548a0e1d7 --- /dev/null +++ b/queue-4.19/mlxsw-core-unregister-emad-trap-using-forward-action.patch @@ -0,0 +1,57 @@ +From 9955b3fbf19b96de23faf5a58e2d97eb708f1622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 15:46:06 +0200 +Subject: mlxsw: core: Unregister EMAD trap using FORWARD action + +From: Ido Schimmel + +[ Upstream commit 976c44af48141cd8595601c0af2a19a43c5b228b ] + +The device's manual (PRM - Programmer's Reference Manual) classifies the +trap that is used to deliver EMAD responses as an "event trap". Among +other things, it means that the only actions that can be associated with +the trap are TRAP and FORWARD (NOP). + +Currently, during driver de-initialization the driver unregisters the +trap by setting its action to DISCARD, which violates the above +guideline. Future firmware versions will prevent such misuses by +returning an error. This does not prevent the driver from working, but +an error will be printed to the kernel log during module removal / +devlink reload: + +mlxsw_spectrum 0000:03:00.0: Reg cmd access status failed (status=7(bad parameter)) +mlxsw_spectrum 0000:03:00.0: Reg cmd access failed (reg_id=7003(hpkt),type=write) + +Suppress the error message by aligning the driver to the manual and use +a FORWARD (NOP) action when unregistering the trap. + +Fixes: 4ec14b7634b2 ("mlxsw: Add interface to access registers and process events") +Cc: Jiri Pirko +Cc: Amit Cohen +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Reviewed-by: Simon Horman +Signed-off-by: Petr Machata +Link: https://lore.kernel.org/r/753a89e14008fde08cb4a2c1e5f537b81d8eb2d6.1713446092.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index 049ca4ba49deb..2950c30ac1724 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -561,7 +561,7 @@ static void mlxsw_emad_rx_listener_func(struct sk_buff *skb, u8 local_port, + + static const struct mlxsw_listener mlxsw_emad_rx_listener = + MLXSW_RXL(mlxsw_emad_rx_listener_func, ETHEMAD, TRAP_TO_CPU, false, +- EMAD, DISCARD); ++ EMAD, FORWARD); + + static int mlxsw_emad_init(struct mlxsw_core *mlxsw_core) + { +-- +2.43.0 + diff --git a/queue-4.19/net-gtp-fix-use-after-free-in-gtp_dellink.patch b/queue-4.19/net-gtp-fix-use-after-free-in-gtp_dellink.patch new file mode 100644 index 00000000000..eba0c205c42 --- /dev/null +++ b/queue-4.19/net-gtp-fix-use-after-free-in-gtp_dellink.patch @@ -0,0 +1,46 @@ +From f3d7668e0952d9ed4dff6296f77cee3ccb37ec0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 05:39:30 -0400 +Subject: net: gtp: Fix Use-After-Free in gtp_dellink + +From: Hyunwoo Kim + +[ Upstream commit f2a904107ee2b647bb7794a1a82b67740d7c8a64 ] + +Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal +of gtp_dellink, is not part of the RCU read critical section, it +is possible that the RCU grace period will pass during the traversal and +the key will be free. + +To prevent this, it should be changed to hlist_for_each_entry_safe. + +Fixes: 94dc550a5062 ("gtp: fix an use-after-free in ipv4_pdp_find()") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 3f4e20a9ce9a1..db97f2fa203cf 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -710,11 +710,12 @@ static int gtp_newlink(struct net *src_net, struct net_device *dev, + static void gtp_dellink(struct net_device *dev, struct list_head *head) + { + struct gtp_dev *gtp = netdev_priv(dev); ++ struct hlist_node *next; + struct pdp_ctx *pctx; + int i; + + for (i = 0; i < gtp->hash_size; i++) +- hlist_for_each_entry_rcu(pctx, >p->tid_hash[i], hlist_tid) ++ hlist_for_each_entry_safe(pctx, next, >p->tid_hash[i], hlist_tid) + pdp_context_delete(pctx); + + gtp_encap_disable(gtp); +-- +2.43.0 + diff --git a/queue-4.19/net-openvswitch-fix-use-after-free-in-ovs_ct_exit.patch b/queue-4.19/net-openvswitch-fix-use-after-free-in-ovs_ct_exit.patch new file mode 100644 index 00000000000..455c24151fd --- /dev/null +++ b/queue-4.19/net-openvswitch-fix-use-after-free-in-ovs_ct_exit.patch @@ -0,0 +1,46 @@ +From f70a90fd8a682f15537c3b2eaae8c44148136562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 05:37:17 -0400 +Subject: net: openvswitch: Fix Use-After-Free in ovs_ct_exit + +From: Hyunwoo Kim + +[ Upstream commit 5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2 ] + +Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal +of ovs_ct_limit_exit, is not part of the RCU read critical section, it +is possible that the RCU grace period will pass during the traversal and +the key will be free. + +To prevent this, it should be changed to hlist_for_each_entry_safe. + +Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Eric Dumazet +Reviewed-by: Aaron Conole +Link: https://lore.kernel.org/r/ZiYvzQN/Ry5oeFQW@v4bel-B760M-AORUS-ELITE-AX +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/conntrack.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c +index 352e80e6cd75c..3ea1e5ffaf80d 100644 +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -1836,9 +1836,9 @@ static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net) + for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) { + struct hlist_head *head = &info->limits[i]; + struct ovs_ct_limit *ct_limit; ++ struct hlist_node *next; + +- hlist_for_each_entry_rcu(ct_limit, head, hlist_node, +- lockdep_ovsl_is_held()) ++ hlist_for_each_entry_safe(ct_limit, next, head, hlist_node) + kfree_rcu(ct_limit, rcu); + } + kfree(ovs_net->ct_limit_info->limits); +-- +2.43.0 + diff --git a/queue-4.19/net-openvswitch-ovs_ct_exit-to-be-done-under-ovs_loc.patch b/queue-4.19/net-openvswitch-ovs_ct_exit-to-be-done-under-ovs_loc.patch new file mode 100644 index 00000000000..2fee9509968 --- /dev/null +++ b/queue-4.19/net-openvswitch-ovs_ct_exit-to-be-done-under-ovs_loc.patch @@ -0,0 +1,83 @@ +From d910ac79e9895b7ee2628ac4269935ebe68ccd21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 02:57:31 +0800 +Subject: net: openvswitch: ovs_ct_exit to be done under ovs_lock + +From: Tonghao Zhang + +[ Upstream commit 27de77cec985233bdf6546437b9761853265c505 ] + +syzbot wrote: +| ============================= +| WARNING: suspicious RCU usage +| 5.7.0-rc1+ #45 Not tainted +| ----------------------------- +| net/openvswitch/conntrack.c:1898 RCU-list traversed in non-reader section!! +| +| other info that might help us debug this: +| rcu_scheduler_active = 2, debug_locks = 1 +| ... +| +| stack backtrace: +| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 +| Workqueue: netns cleanup_net +| Call Trace: +| ... +| ovs_ct_exit +| ovs_exit_net +| ops_exit_list.isra.7 +| cleanup_net +| process_one_work +| worker_thread + +To avoid that warning, invoke the ovs_ct_exit under ovs_lock and add +lockdep_ovsl_is_held as optional lockdep expression. + +Link: https://lore.kernel.org/lkml/000000000000e642a905a0cbee6e@google.com +Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") +Cc: Pravin B Shelar +Cc: Yi-Hung Wei +Reported-by: syzbot+7ef50afd3a211f879112@syzkaller.appspotmail.com +Signed-off-by: Tonghao Zhang +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Stable-dep-of: 5ea7b72d4fac ("net: openvswitch: Fix Use-After-Free in ovs_ct_exit") +Signed-off-by: Sasha Levin +--- + net/openvswitch/conntrack.c | 3 ++- + net/openvswitch/datapath.c | 4 +++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c +index 0777c8d416f1b..352e80e6cd75c 100644 +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -1837,7 +1837,8 @@ static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net) + struct hlist_head *head = &info->limits[i]; + struct ovs_ct_limit *ct_limit; + +- hlist_for_each_entry_rcu(ct_limit, head, hlist_node) ++ hlist_for_each_entry_rcu(ct_limit, head, hlist_node, ++ lockdep_ovsl_is_held()) + kfree_rcu(ct_limit, rcu); + } + kfree(ovs_net->ct_limit_info->limits); +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index 0551915519d9f..db27a43f5c5ab 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -2390,8 +2390,10 @@ static void __net_exit ovs_exit_net(struct net *dnet) + struct net *net; + LIST_HEAD(head); + +- ovs_ct_exit(dnet); + ovs_lock(); ++ ++ ovs_ct_exit(dnet); ++ + list_for_each_entry_safe(dp, dp_next, &ovs_net->dps, list_node) + __dp_destroy(dp); + +-- +2.43.0 + diff --git a/queue-4.19/net-usb-ax88179_178a-stop-lying-about-skb-truesize.patch b/queue-4.19/net-usb-ax88179_178a-stop-lying-about-skb-truesize.patch new file mode 100644 index 00000000000..0ab76264b85 --- /dev/null +++ b/queue-4.19/net-usb-ax88179_178a-stop-lying-about-skb-truesize.patch @@ -0,0 +1,64 @@ +From d989a4c7177b251691d58bc86ead693b7bf03545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Apr 2024 19:38:28 +0000 +Subject: net: usb: ax88179_178a: stop lying about skb->truesize + +From: Eric Dumazet + +[ Upstream commit 4ce62d5b2f7aecd4900e7d6115588ad7f9acccca ] + +Some usb drivers try to set small skb->truesize and break +core networking stacks. + +In this patch, I removed one of the skb->truesize overide. + +I also replaced one skb_clone() by an allocation of a fresh +and small skb, to get minimally sized skbs, like we did +in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize +in rx path") + +Fixes: f8ebb3ac881b ("net: usb: ax88179_178a: Fix packet receiving") +Reported-by: shironeko +Closes: https://lore.kernel.org/netdev/c110f41a0d2776b525930f213ca9715c@tesaguri.club/ +Signed-off-by: Eric Dumazet +Cc: Jose Alonso +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240421193828.1966195-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ax88179_178a.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index 3df203feb09c5..812361e832fd5 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -1465,21 +1465,16 @@ static int ax88179_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + /* Skip IP alignment pseudo header */ + skb_pull(skb, 2); + +- skb->truesize = SKB_TRUESIZE(pkt_len_plus_padd); + ax88179_rx_checksum(skb, pkt_hdr); + return 1; + } + +- ax_skb = skb_clone(skb, GFP_ATOMIC); ++ ax_skb = netdev_alloc_skb_ip_align(dev->net, pkt_len); + if (!ax_skb) + return 0; +- skb_trim(ax_skb, pkt_len); ++ skb_put(ax_skb, pkt_len); ++ memcpy(ax_skb->data, skb->data + 2, pkt_len); + +- /* Skip IP alignment pseudo header */ +- skb_pull(ax_skb, 2); +- +- skb->truesize = pkt_len_plus_padd + +- SKB_DATA_ALIGN(sizeof(struct sk_buff)); + ax88179_rx_checksum(ax_skb, pkt_hdr); + usbnet_skb_return(dev, ax_skb); + +-- +2.43.0 + diff --git a/queue-4.19/nfc-trf7970a-disable-all-regulators-on-removal.patch b/queue-4.19/nfc-trf7970a-disable-all-regulators-on-removal.patch new file mode 100644 index 00000000000..6ebbbadb53d --- /dev/null +++ b/queue-4.19/nfc-trf7970a-disable-all-regulators-on-removal.patch @@ -0,0 +1,145 @@ +From d7909f6d03b1c8465189dc58d0ff622aba64b365 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 21:25:38 +0200 +Subject: NFC: trf7970a: disable all regulators on removal + +From: Paul Geurts + +[ Upstream commit 6bea4f03c6a4e973ef369e15aac88f37981db49e ] + +During module probe, regulator 'vin' and 'vdd-io' are used and enabled, +but the vdd-io regulator overwrites the 'vin' regulator pointer. During +remove, only the vdd-io is disabled, as the vin regulator pointer is not +available anymore. When regulator_put() is called during resource +cleanup a kernel warning is given, as the regulator is still enabled. + +Store the two regulators in separate pointers and disable both the +regulators on module remove. + +Fixes: 49d22c70aaf0 ("NFC: trf7970a: Add device tree option of 1.8 Volt IO voltage") +Signed-off-by: Paul Geurts +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/DB7PR09MB26847A4EBF88D9EDFEB1DA0F950E2@DB7PR09MB2684.eurprd09.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/trf7970a.c | 42 +++++++++++++++++++++++------------------- + 1 file changed, 23 insertions(+), 19 deletions(-) + +diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c +index eee5cc1a92204..5ad5baf1d6f81 100644 +--- a/drivers/nfc/trf7970a.c ++++ b/drivers/nfc/trf7970a.c +@@ -427,7 +427,8 @@ struct trf7970a { + enum trf7970a_state state; + struct device *dev; + struct spi_device *spi; +- struct regulator *regulator; ++ struct regulator *vin_regulator; ++ struct regulator *vddio_regulator; + struct nfc_digital_dev *ddev; + u32 quirks; + bool is_initiator; +@@ -1886,7 +1887,7 @@ static int trf7970a_power_up(struct trf7970a *trf) + if (trf->state != TRF7970A_ST_PWR_OFF) + return 0; + +- ret = regulator_enable(trf->regulator); ++ ret = regulator_enable(trf->vin_regulator); + if (ret) { + dev_err(trf->dev, "%s - Can't enable VIN: %d\n", __func__, ret); + return ret; +@@ -1929,7 +1930,7 @@ static int trf7970a_power_down(struct trf7970a *trf) + if (trf->en2_gpiod && !(trf->quirks & TRF7970A_QUIRK_EN2_MUST_STAY_LOW)) + gpiod_set_value_cansleep(trf->en2_gpiod, 0); + +- ret = regulator_disable(trf->regulator); ++ ret = regulator_disable(trf->vin_regulator); + if (ret) + dev_err(trf->dev, "%s - Can't disable VIN: %d\n", __func__, + ret); +@@ -2068,37 +2069,37 @@ static int trf7970a_probe(struct spi_device *spi) + mutex_init(&trf->lock); + INIT_DELAYED_WORK(&trf->timeout_work, trf7970a_timeout_work_handler); + +- trf->regulator = devm_regulator_get(&spi->dev, "vin"); +- if (IS_ERR(trf->regulator)) { +- ret = PTR_ERR(trf->regulator); ++ trf->vin_regulator = devm_regulator_get(&spi->dev, "vin"); ++ if (IS_ERR(trf->vin_regulator)) { ++ ret = PTR_ERR(trf->vin_regulator); + dev_err(trf->dev, "Can't get VIN regulator: %d\n", ret); + goto err_destroy_lock; + } + +- ret = regulator_enable(trf->regulator); ++ ret = regulator_enable(trf->vin_regulator); + if (ret) { + dev_err(trf->dev, "Can't enable VIN: %d\n", ret); + goto err_destroy_lock; + } + +- uvolts = regulator_get_voltage(trf->regulator); ++ uvolts = regulator_get_voltage(trf->vin_regulator); + if (uvolts > 4000000) + trf->chip_status_ctrl = TRF7970A_CHIP_STATUS_VRS5_3; + +- trf->regulator = devm_regulator_get(&spi->dev, "vdd-io"); +- if (IS_ERR(trf->regulator)) { +- ret = PTR_ERR(trf->regulator); ++ trf->vddio_regulator = devm_regulator_get(&spi->dev, "vdd-io"); ++ if (IS_ERR(trf->vddio_regulator)) { ++ ret = PTR_ERR(trf->vddio_regulator); + dev_err(trf->dev, "Can't get VDD_IO regulator: %d\n", ret); +- goto err_destroy_lock; ++ goto err_disable_vin_regulator; + } + +- ret = regulator_enable(trf->regulator); ++ ret = regulator_enable(trf->vddio_regulator); + if (ret) { + dev_err(trf->dev, "Can't enable VDD_IO: %d\n", ret); +- goto err_destroy_lock; ++ goto err_disable_vin_regulator; + } + +- if (regulator_get_voltage(trf->regulator) == 1800000) { ++ if (regulator_get_voltage(trf->vddio_regulator) == 1800000) { + trf->io_ctrl = TRF7970A_REG_IO_CTRL_IO_LOW; + dev_dbg(trf->dev, "trf7970a config vdd_io to 1.8V\n"); + } +@@ -2111,7 +2112,7 @@ static int trf7970a_probe(struct spi_device *spi) + if (!trf->ddev) { + dev_err(trf->dev, "Can't allocate NFC digital device\n"); + ret = -ENOMEM; +- goto err_disable_regulator; ++ goto err_disable_vddio_regulator; + } + + nfc_digital_set_parent_dev(trf->ddev, trf->dev); +@@ -2140,8 +2141,10 @@ static int trf7970a_probe(struct spi_device *spi) + trf7970a_shutdown(trf); + err_free_ddev: + nfc_digital_free_device(trf->ddev); +-err_disable_regulator: +- regulator_disable(trf->regulator); ++err_disable_vddio_regulator: ++ regulator_disable(trf->vddio_regulator); ++err_disable_vin_regulator: ++ regulator_disable(trf->vin_regulator); + err_destroy_lock: + mutex_destroy(&trf->lock); + return ret; +@@ -2160,7 +2163,8 @@ static int trf7970a_remove(struct spi_device *spi) + nfc_digital_unregister_device(trf->ddev); + nfc_digital_free_device(trf->ddev); + +- regulator_disable(trf->regulator); ++ regulator_disable(trf->vddio_regulator); ++ regulator_disable(trf->vin_regulator); + + mutex_destroy(&trf->lock); + +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index c8a0a68923e..4ef08e5d4ca 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -35,3 +35,18 @@ nouveau-fix-instmem-race-condition-around-ptr-stores.patch nilfs2-fix-oob-in-nilfs_set_de_type.patch tracing-remove-hist-trigger-synth_var_refs.patch tracing-use-var_refs-for-hist-trigger-reference-checking.patch +arm64-dts-rockchip-fix-alphabetical-ordering-rk3399-.patch +arm64-dts-rockchip-enable-internal-pull-up-on-pcie_w.patch +arm64-dts-mediatek-mt7622-fix-ir-nodename.patch +arm64-dts-mediatek-mt7622-fix-ethernet-controller-co.patch +arm64-dts-mediatek-mt7622-drop-reset-names-from-ther.patch +arc-plat-hsdk-remove-misplaced-interrupt-cells-prope.patch +vxlan-drop-packets-from-invalid-src-address.patch +mlxsw-core-unregister-emad-trap-using-forward-action.patch +nfc-trf7970a-disable-all-regulators-on-removal.patch +net-usb-ax88179_178a-stop-lying-about-skb-truesize.patch +net-gtp-fix-use-after-free-in-gtp_dellink.patch +ipvs-fix-checksumming-on-gso-of-sctp-packets.patch +net-openvswitch-ovs_ct_exit-to-be-done-under-ovs_loc.patch +net-openvswitch-fix-use-after-free-in-ovs_ct_exit.patch +i40e-do-not-use-wq_mem_reclaim-flag-for-workqueue.patch diff --git a/queue-4.19/vxlan-drop-packets-from-invalid-src-address.patch b/queue-4.19/vxlan-drop-packets-from-invalid-src-address.patch new file mode 100644 index 00000000000..8c44f939183 --- /dev/null +++ b/queue-4.19/vxlan-drop-packets-from-invalid-src-address.patch @@ -0,0 +1,52 @@ +From 34a9fc43cfd9fbd71bf8e298ad3b51178cb9b81b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 15:29:08 +0200 +Subject: vxlan: drop packets from invalid src-address + +From: David Bauer + +[ Upstream commit f58f45c1e5b92975e91754f5407250085a6ae7cf ] + +The VXLAN driver currently does not check if the inner layer2 +source-address is valid. + +In case source-address snooping/learning is enabled, a entry in the FDB +for the invalid address is created with the layer3 address of the tunnel +endpoint. + +If the frame happens to have a non-unicast address set, all this +non-unicast traffic is subsequently not flooded to the tunnel network +but sent to the learnt host in the FDB. To make matters worse, this FDB +entry does not expire. + +Apply the same filtering for packets as it is done for bridges. This not +only drops these invalid packets but avoids them from being learnt into +the FDB. + +Fixes: d342894c5d2f ("vxlan: virtual extensible lan") +Suggested-by: Ido Schimmel +Signed-off-by: David Bauer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index d5c8d0d54b33d..b004c8b6ec28e 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1320,6 +1320,10 @@ static bool vxlan_set_mac(struct vxlan_dev *vxlan, + if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr)) + return false; + ++ /* Ignore packets from invalid src-address */ ++ if (!is_valid_ether_addr(eth_hdr(skb)->h_source)) ++ return false; ++ + /* Get address from the outer IP header */ + if (vxlan_get_sk_family(vs) == AF_INET) { + saddr.sin.sin_addr.s_addr = ip_hdr(skb)->saddr; +-- +2.43.0 +