From: Sasha Levin Date: Mon, 23 May 2022 03:03:29 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.9.316~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e9d776c8928ac372074d76633da118b0413e180;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch b/queue-5.10/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch new file mode 100644 index 00000000000..df345b3eab1 --- /dev/null +++ b/queue-5.10/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch @@ -0,0 +1,36 @@ +From 4724d01978098acc8984d16d08e9a8e27dccff25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 09:44:51 +0100 +Subject: ARM: 9196/1: spectre-bhb: enable for Cortex-A15 + +From: Ard Biesheuvel + +[ Upstream commit 0dc14aa94ccd8ba35eb17a0f9b123d1566efd39e ] + +The Spectre-BHB mitigations were inadvertently left disabled for +Cortex-A15, due to the fact that cpu_v7_bugs_init() is not called in +that case. So fix that. + +Fixes: b9baf5c8c5c3 ("ARM: Spectre-BHB workaround") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/proc-v7-bugs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c +index 06dbfb968182..fb9f3eb6bf48 100644 +--- a/arch/arm/mm/proc-v7-bugs.c ++++ b/arch/arm/mm/proc-v7-bugs.c +@@ -288,6 +288,7 @@ void cpu_v7_ca15_ibe(void) + { + if (check_spectre_auxcr(this_cpu_ptr(&spectre_warned), BIT(0))) + cpu_v7_spectre_v2_init(); ++ cpu_v7_spectre_bhb_init(); + } + + void cpu_v7_bugs_init(void) +-- +2.35.1 + diff --git a/queue-5.10/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch b/queue-5.10/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch new file mode 100644 index 00000000000..bcce3bca2bc --- /dev/null +++ b/queue-5.10/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch @@ -0,0 +1,37 @@ +From 6f0d7bddb7d32cc0431217f879b97577133b44c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 09:46:17 +0100 +Subject: ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2 + +From: Ard Biesheuvel + +[ Upstream commit 3cfb3019979666bdf33a1010147363cf05e0f17b ] + +In Thumb2, 'b . + 4' produces a branch instruction that uses a narrow +encoding, and so it does not jump to the following instruction as +expected. So use W(b) instead. + +Fixes: 6c7cb60bff7a ("ARM: fix Thumb2 regression with Spectre BHB") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/entry-armv.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S +index c3ebe3584103..030351d169aa 100644 +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -1043,7 +1043,7 @@ vector_bhb_loop8_\name: + + @ bhb workaround + mov r0, #8 +-3: b . + 4 ++3: W(b) . + 4 + subs r0, r0, #1 + bne 3b + dsb +-- +2.35.1 + diff --git a/queue-5.10/arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch b/queue-5.10/arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch new file mode 100644 index 00000000000..d7238da548b --- /dev/null +++ b/queue-5.10/arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch @@ -0,0 +1,45 @@ +From ea72b5c8113b40d082dc15fcec56615235c2f16e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Mar 2022 10:39:32 -0700 +Subject: ARM: dts: aspeed-g6: fix SPI1/SPI2 quad pin group + +From: Jae Hyun Yoo + +[ Upstream commit 890362d41b244536ab63591f813393f5fdf59ed7 ] + +Fix incorrect function mappings in pinctrl_qspi1_default and +pinctrl_qspi2_default since their function should be SPI1 and +SPI2 respectively. + +Fixes: f510f04c8c83 ("ARM: dts: aspeed: Add AST2600 pinmux nodes") +Signed-off-by: Jae Hyun Yoo +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20220329173932.2588289-8-quic_jaehyoo@quicinc.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +index 546ce37f3f4e..1ef89dd55d92 100644 +--- a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi ++++ b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +@@ -648,12 +648,12 @@ pinctrl_pwm9g1_default: pwm9g1_default { + }; + + pinctrl_qspi1_default: qspi1_default { +- function = "QSPI1"; ++ function = "SPI1"; + groups = "QSPI1"; + }; + + pinctrl_qspi2_default: qspi2_default { +- function = "QSPI2"; ++ function = "SPI2"; + groups = "QSPI2"; + }; + +-- +2.35.1 + diff --git a/queue-5.10/arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch b/queue-5.10/arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch new file mode 100644 index 00000000000..566b1526433 --- /dev/null +++ b/queue-5.10/arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch @@ -0,0 +1,43 @@ +From 18da8e14890e1182062b5e7d865e1e7be85429cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Mar 2022 10:39:26 -0700 +Subject: ARM: dts: aspeed-g6: remove FWQSPID group in pinctrl dtsi + +From: Jae Hyun Yoo + +[ Upstream commit efddaa397cceefb61476e383c26fafd1f8ab6356 ] + +FWSPIDQ2 and FWSPIDQ3 are not part of FWSPI18 interface so remove +FWQSPID group in pinctrl dtsi. These pins must be used with the +FWSPI pins that are dedicated for boot SPI interface which provides +same 3.3v logic level. + +Fixes: 2f6edb6bcb2f ("ARM: dts: aspeed: Fix AST2600 quad spi group") +Signed-off-by: Jae Hyun Yoo +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20220329173932.2588289-2-quic_jaehyoo@quicinc.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +index a362714ae9fc..546ce37f3f4e 100644 +--- a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi ++++ b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +@@ -117,11 +117,6 @@ pinctrl_fwspid_default: fwspid_default { + groups = "FWSPID"; + }; + +- pinctrl_fwqspid_default: fwqspid_default { +- function = "FWSPID"; +- groups = "FWQSPID"; +- }; +- + pinctrl_fwspiwp_default: fwspiwp_default { + function = "FWSPIWP"; + groups = "FWSPIWP"; +-- +2.35.1 + diff --git a/queue-5.10/arm64-enable-repeat-tlbi-workaround-on-kryo4xx-gold-.patch b/queue-5.10/arm64-enable-repeat-tlbi-workaround-on-kryo4xx-gold-.patch new file mode 100644 index 00000000000..ebaf1620754 --- /dev/null +++ b/queue-5.10/arm64-enable-repeat-tlbi-workaround-on-kryo4xx-gold-.patch @@ -0,0 +1,57 @@ +From eed7129b5b1e1b1500b748013f4b6e36a3c324d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 16:31:34 +0530 +Subject: arm64: Enable repeat tlbi workaround on KRYO4XX gold CPUs + +From: Shreyas K K + +[ Upstream commit 51f559d66527e238f9a5f82027bff499784d4eac ] + +Add KRYO4XX gold/big cores to the list of CPUs that need the +repeat TLBI workaround. Apply this to the affected +KRYO4XX cores (rcpe to rfpe). + +The variant and revision bits are implementation defined and are +different from the their Cortex CPU counterparts on which they are +based on, i.e., (r0p0 to r3p0) is equivalent to (rcpe to rfpe). + +Signed-off-by: Shreyas K K +Reviewed-by: Sai Prakash Ranjan +Link: https://lore.kernel.org/r/20220512110134.12179-1-quic_shrekk@quicinc.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + Documentation/arm64/silicon-errata.rst | 3 +++ + arch/arm64/kernel/cpu_errata.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index 719510247292..f01eed0ee23a 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -160,6 +160,9 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Qualcomm Tech. | Kryo4xx Silver | N/A | ARM64_ERRATUM_1024718 | + +----------------+-----------------+-----------------+-----------------------------+ ++| Qualcomm Tech. | Kryo4xx Gold | N/A | ARM64_ERRATUM_1286807 | +++----------------+-----------------+-----------------+-----------------------------+ ++ + +----------------+-----------------+-----------------+-----------------------------+ + | Fujitsu | A64FX | E#010001 | FUJITSU_ERRATUM_010001 | + +----------------+-----------------+-----------------+-----------------------------+ +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 533559c7d2b3..ca42d58e8c82 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -220,6 +220,8 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = { + #ifdef CONFIG_ARM64_ERRATUM_1286807 + { + ERRATA_MIDR_RANGE(MIDR_CORTEX_A76, 0, 0, 3, 0), ++ /* Kryo4xx Gold (rcpe to rfpe) => (r0p0 to r3p0) */ ++ ERRATA_MIDR_RANGE(MIDR_QCOM_KRYO_4XX_GOLD, 0xc, 0xe, 0xf, 0xe), + }, + #endif + {}, +-- +2.35.1 + diff --git a/queue-5.10/clk-at91-generated-consider-range-when-calculating-b.patch b/queue-5.10/clk-at91-generated-consider-range-when-calculating-b.patch new file mode 100644 index 00000000000..a85c6698ecd --- /dev/null +++ b/queue-5.10/clk-at91-generated-consider-range-when-calculating-b.patch @@ -0,0 +1,42 @@ +From a602af8caa998997437622580ca66ac3c52d8a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 10:13:18 +0300 +Subject: clk: at91: generated: consider range when calculating best rate + +From: Codrin Ciubotariu + +[ Upstream commit d0031e6fbed955ff8d5f5bbc8fe7382482559cec ] + +clk_generated_best_diff() helps in finding the parent and the divisor to +compute a rate closest to the required one. However, it doesn't take into +account the request's range for the new rate. Make sure the new rate +is within the required range. + +Fixes: 8a8f4bf0c480 ("clk: at91: clk-generated: create function to find best_diff") +Signed-off-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220413071318.244912-1-codrin.ciubotariu@microchip.com +Reviewed-by: Claudiu Beznea +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-generated.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clk/at91/clk-generated.c b/drivers/clk/at91/clk-generated.c +index b656d25a9767..fe772baeb15f 100644 +--- a/drivers/clk/at91/clk-generated.c ++++ b/drivers/clk/at91/clk-generated.c +@@ -106,6 +106,10 @@ static void clk_generated_best_diff(struct clk_rate_request *req, + tmp_rate = parent_rate; + else + tmp_rate = parent_rate / div; ++ ++ if (tmp_rate < req->min_rate || tmp_rate > req->max_rate) ++ return; ++ + tmp_diff = abs(req->rate - tmp_rate); + + if (*best_diff < 0 || *best_diff >= tmp_diff) { +-- +2.35.1 + diff --git a/queue-5.10/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch b/queue-5.10/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch new file mode 100644 index 00000000000..125947ee58a --- /dev/null +++ b/queue-5.10/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch @@ -0,0 +1,49 @@ +From b26840666874e88e7309524b347f7238b4ee4ee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 17:42:50 +0800 +Subject: ethernet: tulip: fix missing pci_disable_device() on error in + tulip_init_one() + +From: Yang Yingliang + +[ Upstream commit 51ca86b4c9c7c75f5630fa0dbe5f8f0bd98e3c3e ] + +Fix the missing pci_disable_device() before return +from tulip_init_one() in the error handling case. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220506094250.3630615-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/tulip_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/dec/tulip/tulip_core.c b/drivers/net/ethernet/dec/tulip/tulip_core.c +index e7b0d7de40fd..c22d945a79fd 100644 +--- a/drivers/net/ethernet/dec/tulip/tulip_core.c ++++ b/drivers/net/ethernet/dec/tulip/tulip_core.c +@@ -1396,8 +1396,10 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + /* alloc_etherdev ensures aligned and zeroed private structures */ + dev = alloc_etherdev (sizeof (*tp)); +- if (!dev) ++ if (!dev) { ++ pci_disable_device(pdev); + return -ENOMEM; ++ } + + SET_NETDEV_DEV(dev, &pdev->dev); + if (pci_resource_len (pdev, 0) < tulip_tbl[chip_idx].io_size) { +@@ -1774,6 +1776,7 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + err_out_free_netdev: + free_netdev (dev); ++ pci_disable_device(pdev); + return -ENODEV; + } + +-- +2.35.1 + diff --git a/queue-5.10/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch b/queue-5.10/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch new file mode 100644 index 00000000000..394dcd90042 --- /dev/null +++ b/queue-5.10/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch @@ -0,0 +1,45 @@ +From 5fd7aa018377ec179a231cc6ed1fe5ddf3b3abde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 10:15:04 +0800 +Subject: gpio: gpio-vf610: do not touch other bits when set the target bit + +From: Haibo Chen + +[ Upstream commit 9bf3ac466faa83d51a8fe9212131701e58fdef74 ] + +For gpio controller contain register PDDR, when set one target bit, +current logic will clear all other bits, this is wrong. Use operator +'|=' to fix it. + +Fixes: 659d8a62311f ("gpio: vf610: add imx7ulp support") +Reviewed-by: Peng Fan +Signed-off-by: Haibo Chen +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-vf610.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c +index 58776f2d69ff..1ae612c796ee 100644 +--- a/drivers/gpio/gpio-vf610.c ++++ b/drivers/gpio/gpio-vf610.c +@@ -125,9 +125,13 @@ static int vf610_gpio_direction_output(struct gpio_chip *chip, unsigned gpio, + { + struct vf610_gpio_port *port = gpiochip_get_data(chip); + unsigned long mask = BIT(gpio); ++ u32 val; + +- if (port->sdata && port->sdata->have_paddr) +- vf610_gpio_writel(mask, port->gpio_base + GPIO_PDDR); ++ if (port->sdata && port->sdata->have_paddr) { ++ val = vf610_gpio_readl(port->gpio_base + GPIO_PDDR); ++ val |= mask; ++ vf610_gpio_writel(val, port->gpio_base + GPIO_PDDR); ++ } + + vf610_gpio_set(chip, gpio, value); + +-- +2.35.1 + diff --git a/queue-5.10/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch b/queue-5.10/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch new file mode 100644 index 00000000000..46c31cefe90 --- /dev/null +++ b/queue-5.10/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch @@ -0,0 +1,40 @@ +From 9d2769b62c949439632929459487e922c13752c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 09:58:56 +0200 +Subject: gpio: mvebu/pwm: Refuse requests with inverted polarity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 3ecb10175b1f776f076553c24e2689e42953fef5 ] + +The driver doesn't take struct pwm_state::polarity into account when +configuring the hardware, so refuse requests for inverted polarity. + +Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mvebu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c +index ed7c5fc47f52..2ab34a8e6273 100644 +--- a/drivers/gpio/gpio-mvebu.c ++++ b/drivers/gpio/gpio-mvebu.c +@@ -700,6 +700,9 @@ static int mvebu_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, + unsigned long flags; + unsigned int on, off; + ++ if (state->polarity != PWM_POLARITY_NORMAL) ++ return -EINVAL; ++ + val = (unsigned long long) mvpwm->clk_rate * state->duty_cycle; + do_div(val, NSEC_PER_SEC); + if (val > UINT_MAX) +-- +2.35.1 + diff --git a/queue-5.10/ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch b/queue-5.10/ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch new file mode 100644 index 00000000000..a789cb28aaf --- /dev/null +++ b/queue-5.10/ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch @@ -0,0 +1,51 @@ +From 6e4ad03290537076d8adc9ad1f346c07ba493083 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 14:11:42 -0700 +Subject: ice: fix possible under reporting of ethtool Tx and Rx statistics + +From: Paul Greenwalt + +[ Upstream commit 31b6298fd8e29effe9ed6b77351ac5969be56ce0 ] + +The hardware statistics counters are not cleared during resets so the +drivers first access is to initialize the baseline and then subsequent +reads are for reporting the counters. The statistics counters are read +during the watchdog subtask when the interface is up. If the baseline +is not initialized before the interface is up, then there can be a brief +window in which some traffic can be transmitted/received before the +initial baseline reading takes place. + +Directly initialize ethtool statistics in driver open so the baseline will +be initialized when the interface is up, and any dropped packets +incremented before the interface is up won't be reported. + +Fixes: 28dc1b86f8ea9 ("ice: ignore dropped packets during init") +Signed-off-by: Paul Greenwalt +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index eb0625b52e45..aae79fdd5172 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -5271,9 +5271,10 @@ static int ice_up_complete(struct ice_vsi *vsi) + netif_carrier_on(vsi->netdev); + } + +- /* clear this now, and the first stats read will be used as baseline */ +- vsi->stat_offsets_loaded = false; +- ++ /* Perform an initial read of the statistics registers now to ++ * set the baseline so counters are ready when interface is up ++ */ ++ ice_update_eth_stats(vsi); + ice_service_task_schedule(pf); + + return 0; +-- +2.35.1 + diff --git a/queue-5.10/igb-skip-phy-status-check-where-unavailable.patch b/queue-5.10/igb-skip-phy-status-check-where-unavailable.patch new file mode 100644 index 00000000000..d55153bdaee --- /dev/null +++ b/queue-5.10/igb-skip-phy-status-check-where-unavailable.patch @@ -0,0 +1,46 @@ +From 4f1c0f489853400e978384d458b7968873b67799 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 11:01:05 -0700 +Subject: igb: skip phy status check where unavailable + +From: Kevin Mitchell + +[ Upstream commit 942d2ad5d2e0df758a645ddfadffde2795322728 ] + +igb_read_phy_reg() will silently return, leaving phy_data untouched, if +hw->ops.read_reg isn't set. Depending on the uninitialized value of +phy_data, this led to the phy status check either succeeding immediately +or looping continuously for 2 seconds before emitting a noisy err-level +timeout. This message went out to the console even though there was no +actual problem. + +Instead, first check if there is read_reg function pointer. If not, +proceed without trying to check the phy status register. + +Fixes: b72f3f72005d ("igb: When GbE link up, wait for Remote receiver status condition") +Signed-off-by: Kevin Mitchell +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index f854d41c6c94..5e67c9c119d2 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -5499,7 +5499,8 @@ static void igb_watchdog_task(struct work_struct *work) + break; + } + +- if (adapter->link_speed != SPEED_1000) ++ if (adapter->link_speed != SPEED_1000 || ++ !hw->phy.ops.read_reg) + goto no_wait; + + /* wait for Remote receiver status OK */ +-- +2.35.1 + diff --git a/queue-5.10/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch b/queue-5.10/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch new file mode 100644 index 00000000000..4d4d4c62fd5 --- /dev/null +++ b/queue-5.10/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch @@ -0,0 +1,38 @@ +From e181fd194352968d5015d1c075e1a58b38928a53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 12:50:38 +0200 +Subject: mac80211: fix rx reordering with non explicit / psmp ack policy + +From: Felix Fietkau + +[ Upstream commit 5e469ed9764d4722c59562da13120bd2dc6834c5 ] + +When the QoS ack policy was set to non explicit / psmp ack, frames are treated +as not being part of a BA session, which causes extra latency on reordering. +Fix this by only bypassing reordering for packets with no-ack policy + +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20220420105038.36443-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 1e7614abd947..e991abb45f68 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1387,8 +1387,7 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx, + goto dont_reorder; + + /* not part of a BA session */ +- if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK && +- ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL) ++ if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_NOACK) + goto dont_reorder; + + /* new, potentially un-ordered, ampdu frame - process it */ +-- +2.35.1 + diff --git a/queue-5.10/net-af_key-add-check-for-pfkey_broadcast-in-function.patch b/queue-5.10/net-af_key-add-check-for-pfkey_broadcast-in-function.patch new file mode 100644 index 00000000000..040e1c9796c --- /dev/null +++ b/queue-5.10/net-af_key-add-check-for-pfkey_broadcast-in-function.patch @@ -0,0 +1,42 @@ +From 15d095254571b9aee7d4643c996e2b566ac47d57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 17:42:31 +0800 +Subject: net: af_key: add check for pfkey_broadcast in function pfkey_process + +From: Jiasheng Jiang + +[ Upstream commit 4dc2a5a8f6754492180741facf2a8787f2c415d7 ] + +If skb_clone() returns null pointer, pfkey_broadcast() will +return error. +Therefore, it should be better to check the return value of +pfkey_broadcast() and return error if fails. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index bd9b5c573b5a..61505b0df57d 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2830,8 +2830,10 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb + void *ext_hdrs[SADB_EXT_MAX]; + int err; + +- pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, +- BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); ++ err = pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, ++ BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); ++ if (err) ++ return err; + + memset(ext_hdrs, 0, sizeof(ext_hdrs)); + err = parse_exthdrs(skb, hdr, ext_hdrs); +-- +2.35.1 + diff --git a/queue-5.10/net-atlantic-add-check-for-max_skb_frags.patch b/queue-5.10/net-atlantic-add-check-for-max_skb_frags.patch new file mode 100644 index 00000000000..65b7383a619 --- /dev/null +++ b/queue-5.10/net-atlantic-add-check-for-max_skb_frags.patch @@ -0,0 +1,55 @@ +From f4bcda8e3a24737b925bba9fafb65622fe40a5aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 19:28:25 -0700 +Subject: net: atlantic: add check for MAX_SKB_FRAGS + +From: Grant Grundler + +[ Upstream commit 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f ] + +Enforce that the CPU can not get stuck in an infinite loop. + +Reported-by: Aashay Shringarpure +Reported-by: Yi Chou +Reported-by: Shervin Oloumi +Signed-off-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +index 339efdfb1d49..e9c6f1fa0b1a 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -362,6 +362,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + continue; + + if (!buff->is_eop) { ++ unsigned int frag_cnt = 0U; + buff_ = buff; + do { + bool is_rsc_completed = true; +@@ -370,6 +371,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + err = -EIO; + goto err_exit; + } ++ ++ frag_cnt++; + next_ = buff_->next, + buff_ = &self->buff_ring[next_]; + is_rsc_completed = +@@ -377,7 +380,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + next_, + self->hw_head); + +- if (unlikely(!is_rsc_completed)) { ++ if (unlikely(!is_rsc_completed) || ++ frag_cnt > MAX_SKB_FRAGS) { + err = 0; + goto err_exit; + } +-- +2.35.1 + diff --git a/queue-5.10/net-atlantic-fix-frag-0-not-initialized.patch b/queue-5.10/net-atlantic-fix-frag-0-not-initialized.patch new file mode 100644 index 00000000000..48b433dd025 --- /dev/null +++ b/queue-5.10/net-atlantic-fix-frag-0-not-initialized.patch @@ -0,0 +1,53 @@ +From bdd2b1c50854b66c5f5f8b9e9a5d31facf232a50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 19:28:23 -0700 +Subject: net: atlantic: fix "frag[0] not initialized" + +From: Grant Grundler + +[ Upstream commit 62e0ae0f4020250f961cf8d0103a4621be74e077 ] + +In aq_ring_rx_clean(), if buff->is_eop is not set AND +buff->len < AQ_CFG_RX_HDR_SIZE, then hdr_len remains equal to +buff->len and skb_add_rx_frag(xxx, *0*, ...) is not called. + +The loop following this code starts calling skb_add_rx_frag() starting +with i=1 and thus frag[0] is never initialized. Since i is initialized +to zero at the top of the primary loop, we can just reference and +post-increment i instead of hardcoding the 0 when calling +skb_add_rx_frag() the first time. + +Reported-by: Aashay Shringarpure +Reported-by: Yi Chou +Reported-by: Shervin Oloumi +Signed-off-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +index 72f8751784c3..7cf5a48e9a7d 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -445,7 +445,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + ALIGN(hdr_len, sizeof(long))); + + if (buff->len - hdr_len > 0) { +- skb_add_rx_frag(skb, 0, buff->rxdata.page, ++ skb_add_rx_frag(skb, i++, buff->rxdata.page, + buff->rxdata.pg_off + hdr_len, + buff->len - hdr_len, + AQ_CFG_RX_FRAME_MAX); +@@ -454,7 +454,6 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + + if (!buff->is_eop) { + buff_ = buff; +- i = 1U; + do { + next_ = buff_->next; + buff_ = &self->buff_ring[next_]; +-- +2.35.1 + diff --git a/queue-5.10/net-atlantic-reduce-scope-of-is_rsc_complete.patch b/queue-5.10/net-atlantic-reduce-scope-of-is_rsc_complete.patch new file mode 100644 index 00000000000..fcbb0d74fa1 --- /dev/null +++ b/queue-5.10/net-atlantic-reduce-scope-of-is_rsc_complete.patch @@ -0,0 +1,68 @@ +From ef60e40479639ea352c07ddbaa3787afb12e5059 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 19:28:24 -0700 +Subject: net: atlantic: reduce scope of is_rsc_complete + +From: Grant Grundler + +[ Upstream commit 79784d77ebbd3ec516b7a5ce555d979fb7946202 ] + +Don't defer handling the err case outside the loop. That's pointless. + +And since is_rsc_complete is only used inside this loop, declare +it inside the loop to reduce it's scope. + +Signed-off-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +index 7cf5a48e9a7d..339efdfb1d49 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -345,7 +345,6 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + int budget) + { + struct net_device *ndev = aq_nic_get_ndev(self->aq_nic); +- bool is_rsc_completed = true; + int err = 0; + + for (; (self->sw_head != self->hw_head) && budget; +@@ -365,6 +364,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + if (!buff->is_eop) { + buff_ = buff; + do { ++ bool is_rsc_completed = true; ++ + if (buff_->next >= self->size) { + err = -EIO; + goto err_exit; +@@ -376,18 +377,16 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + next_, + self->hw_head); + +- if (unlikely(!is_rsc_completed)) +- break; ++ if (unlikely(!is_rsc_completed)) { ++ err = 0; ++ goto err_exit; ++ } + + buff->is_error |= buff_->is_error; + buff->is_cso_err |= buff_->is_cso_err; + + } while (!buff_->is_eop); + +- if (!is_rsc_completed) { +- err = 0; +- goto err_exit; +- } + if (buff->is_error || + (buff->is_lro && buff->is_cso_err)) { + buff_ = buff; +-- +2.35.1 + diff --git a/queue-5.10/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch b/queue-5.10/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch new file mode 100644 index 00000000000..98b9886a067 --- /dev/null +++ b/queue-5.10/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch @@ -0,0 +1,43 @@ +From 6f1c341091dd2e41baa6aed405d14595a71865f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 19:28:26 -0700 +Subject: net: atlantic: verify hw_head_ lies within TX buffer ring + +From: Grant Grundler + +[ Upstream commit 2120b7f4d128433ad8c5f503a9584deba0684901 ] + +Bounds check hw_head index provided by NIC to verify it lies +within the TX buffer ring. + +Reported-by: Aashay Shringarpure +Reported-by: Yi Chou +Reported-by: Shervin Oloumi +Signed-off-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +index 9f1b15077e7d..45c17c585d74 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +@@ -889,6 +889,13 @@ int hw_atl_b0_hw_ring_tx_head_update(struct aq_hw_s *self, + err = -ENXIO; + goto err_exit; + } ++ ++ /* Validate that the new hw_head_ is reasonable. */ ++ if (hw_head_ >= ring->size) { ++ err = -ENXIO; ++ goto err_exit; ++ } ++ + ring->hw_head = hw_head_; + err = aq_hw_err_from_flags(self); + +-- +2.35.1 + diff --git a/queue-5.10/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch b/queue-5.10/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch new file mode 100644 index 00000000000..18b47c3e1d3 --- /dev/null +++ b/queue-5.10/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch @@ -0,0 +1,72 @@ +From 282bfd22055b34a12c025ef72796a480a24facb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 02:58:40 +0200 +Subject: net: bridge: Clear offload_fwd_mark when passing frame up bridge + interface. + +From: Andrew Lunn + +[ Upstream commit fbb3abdf2223cd0dfc07de85fe5a43ba7f435bdf ] + +It is possible to stack bridges on top of each other. Consider the +following which makes use of an Ethernet switch: + + br1 + / \ + / \ + / \ + br0.11 wlan0 + | + br0 + / | \ +p1 p2 p3 + +br0 is offloaded to the switch. Above br0 is a vlan interface, for +vlan 11. This vlan interface is then a slave of br1. br1 also has a +wireless interface as a slave. This setup trunks wireless lan traffic +over the copper network inside a VLAN. + +A frame received on p1 which is passed up to the bridge has the +skb->offload_fwd_mark flag set to true, indicating that the switch has +dealt with forwarding the frame out ports p2 and p3 as needed. This +flag instructs the software bridge it does not need to pass the frame +back down again. However, the flag is not getting reset when the frame +is passed upwards. As a result br1 sees the flag, wrongly interprets +it, and fails to forward the frame to wlan0. + +When passing a frame upwards, clear the flag. This is the Rx +equivalent of br_switchdev_frame_unmark() in br_dev_xmit(). + +Fixes: f1c2eddf4cb6 ("bridge: switchdev: Use an helper to clear forward mark") +Signed-off-by: Andrew Lunn +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20220518005840.771575-1-andrew@lunn.ch +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_input.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 59a318b9f646..bf5bf148091f 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -43,6 +43,13 @@ static int br_pass_frame_up(struct sk_buff *skb) + u64_stats_update_end(&brstats->syncp); + + vg = br_vlan_group_rcu(br); ++ ++ /* Reset the offload_fwd_mark because there could be a stacked ++ * bridge above, and it should not think this bridge it doing ++ * that bridge's work forwarding out its ports. ++ */ ++ br_switchdev_frame_unmark(skb); ++ + /* Bridge is just like any other port. Make sure the + * packet is allowed except in promisc modue when someone + * may be running packet capture. +-- +2.35.1 + diff --git a/queue-5.10/net-evaluate-net.ipvx.conf.all.disable_policy-and-di.patch b/queue-5.10/net-evaluate-net.ipvx.conf.all.disable_policy-and-di.patch new file mode 100644 index 00000000000..69478bbdfa8 --- /dev/null +++ b/queue-5.10/net-evaluate-net.ipvx.conf.all.disable_policy-and-di.patch @@ -0,0 +1,68 @@ +From 8e778e5329205df9439b96403c45454fec5fbfa1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Nov 2020 20:35:15 +0100 +Subject: net: evaluate net.ipvX.conf.all.disable_policy and disable_xfrm + +From: Vincent Bernat + +[ Upstream commit 62679a8d3aa4ba15ff63574a43e5686078d7b804 ] + +The disable_policy and disable_xfrm are a per-interface sysctl to +disable IPsec policy or encryption on an interface. However, while a +"all" variant is exposed, it was a noop since it was never evaluated. +We use the usual "or" logic for this kind of sysctls. + +Signed-off-by: Vincent Bernat +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 4080e3c6c50d..9bd3cd2177f4 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1776,7 +1776,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, + flags |= RTCF_LOCAL; + + rth = rt_dst_alloc(dev_net(dev)->loopback_dev, flags, RTN_MULTICAST, +- IN_DEV_CONF_GET(in_dev, NOPOLICY), false); ++ IN_DEV_ORCONF(in_dev, NOPOLICY), false); + if (!rth) + return -ENOBUFS; + +@@ -1893,8 +1893,8 @@ static int __mkroute_input(struct sk_buff *skb, + } + + rth = rt_dst_alloc(out_dev->dev, 0, res->type, +- IN_DEV_CONF_GET(in_dev, NOPOLICY), +- IN_DEV_CONF_GET(out_dev, NOXFRM)); ++ IN_DEV_ORCONF(in_dev, NOPOLICY), ++ IN_DEV_ORCONF(out_dev, NOXFRM)); + if (!rth) { + err = -ENOBUFS; + goto cleanup; +@@ -2276,7 +2276,7 @@ out: return err; + + rth = rt_dst_alloc(ip_rt_get_dev(net, res), + flags | RTCF_LOCAL, res->type, +- IN_DEV_CONF_GET(in_dev, NOPOLICY), false); ++ IN_DEV_ORCONF(in_dev, NOPOLICY), false); + if (!rth) + goto e_nobufs; + +@@ -2499,8 +2499,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res, + + add: + rth = rt_dst_alloc(dev_out, flags, type, +- IN_DEV_CONF_GET(in_dev, NOPOLICY), +- IN_DEV_CONF_GET(in_dev, NOXFRM)); ++ IN_DEV_ORCONF(in_dev, NOPOLICY), ++ IN_DEV_ORCONF(in_dev, NOXFRM)); + if (!rth) + return ERR_PTR(-ENOBUFS); + +-- +2.35.1 + diff --git a/queue-5.10/net-ipa-record-proper-rx-transaction-count.patch b/queue-5.10/net-ipa-record-proper-rx-transaction-count.patch new file mode 100644 index 00000000000..bbf20e59723 --- /dev/null +++ b/queue-5.10/net-ipa-record-proper-rx-transaction-count.patch @@ -0,0 +1,61 @@ +From 249f60b69118ee606321b6fa730190ef9c8a8254 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 10:10:32 -0500 +Subject: net: ipa: record proper RX transaction count + +From: Alex Elder + +[ Upstream commit d8290cbe1111105f92f0c8ab455bec8bf98d0630 ] + +Each time we are notified that some number of transactions on an RX +channel has completed, we record the number of bytes that have been +transferred since the previous notification. We also track the +number of transactions completed, but that is not currently being +calculated correctly; we're currently counting the number of such +notifications, but each notification can represent many transaction +completions. Fix this. + +Fixes: 650d1603825d8 ("soc: qcom: ipa: the generic software interface") +Signed-off-by: Alex Elder +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/gsi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ipa/gsi.c b/drivers/net/ipa/gsi.c +index 2a65efd3e8da..fe91b72eca36 100644 +--- a/drivers/net/ipa/gsi.c ++++ b/drivers/net/ipa/gsi.c +@@ -1209,9 +1209,10 @@ static void gsi_evt_ring_rx_update(struct gsi_evt_ring *evt_ring, u32 index) + struct gsi_event *event_done; + struct gsi_event *event; + struct gsi_trans *trans; ++ u32 trans_count = 0; + u32 byte_count = 0; +- u32 old_index; + u32 event_avail; ++ u32 old_index; + + trans_info = &channel->trans_info; + +@@ -1232,6 +1233,7 @@ static void gsi_evt_ring_rx_update(struct gsi_evt_ring *evt_ring, u32 index) + do { + trans->len = __le16_to_cpu(event->len); + byte_count += trans->len; ++ trans_count++; + + /* Move on to the next event and transaction */ + if (--event_avail) +@@ -1243,7 +1245,7 @@ static void gsi_evt_ring_rx_update(struct gsi_evt_ring *evt_ring, u32 index) + + /* We record RX bytes when they are received */ + channel->byte_count += byte_count; +- channel->trans_count++; ++ channel->trans_count += trans_count; + } + + /* Initialize a ring, including allocating DMA memory for its entries */ +-- +2.35.1 + diff --git a/queue-5.10/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch b/queue-5.10/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch new file mode 100644 index 00000000000..9ebed671bfc --- /dev/null +++ b/queue-5.10/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch @@ -0,0 +1,53 @@ +From bbc3fe7c153d8718f04a7cc64f70caacb757ef96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 22:49:00 +0530 +Subject: net: macb: Increment rx bd head after allocating skb and buffer + +From: Harini Katakam + +[ Upstream commit 9500acc631dbb8b73166e25700e656b11f6007b6 ] + +In gem_rx_refill rx_prepared_head is incremented at the beginning of +the while loop preparing the skb and data buffers. If the skb or data +buffer allocation fails, this BD will be unusable BDs until the head +loops back to the same BD (and obviously buffer allocation succeeds). +In the unlikely event that there's a string of allocation failures, +there will be an equal number of unusable BDs and an inconsistent RX +BD chain. Hence increment the head at the end of the while loop to be +clean. + +Fixes: 4df95131ea80 ("net/macb: change RX path for GEM") +Signed-off-by: Harini Katakam +Signed-off-by: Michal Simek +Signed-off-by: Radhey Shyam Pandey +Reviewed-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220512171900.32593-1-harini.katakam@xilinx.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index bd13f91efe7c..792c8147c2c4 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1092,7 +1092,6 @@ static void gem_rx_refill(struct macb_queue *queue) + /* Make hw descriptor updates visible to CPU */ + rmb(); + +- queue->rx_prepared_head++; + desc = macb_rx_desc(queue, entry); + + if (!queue->rx_skbuff[entry]) { +@@ -1131,6 +1130,7 @@ static void gem_rx_refill(struct macb_queue *queue) + dma_wmb(); + desc->addr &= ~MACB_BIT(RX_USED); + } ++ queue->rx_prepared_head++; + } + + /* Make descriptor updates visible to hardware */ +-- +2.35.1 + diff --git a/queue-5.10/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch b/queue-5.10/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch new file mode 100644 index 00000000000..b66450ac35f --- /dev/null +++ b/queue-5.10/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch @@ -0,0 +1,47 @@ +From a4dd86152fb6bee13b2029bddeefeecb850c411f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 18:37:03 +0300 +Subject: net/mlx5e: Properly block LRO when XDP is enabled + +From: Maxim Mikityanskiy + +[ Upstream commit cf6e34c8c22fba66bd21244b95ea47e235f68974 ] + +LRO is incompatible and mutually exclusive with XDP. However, the needed +checks are only made when enabling XDP. If LRO is enabled when XDP is +already active, the command will succeed, and XDP will be skipped in the +data path, although still enabled. + +This commit fixes the bug by checking the XDP status in +mlx5e_fix_features and disabling LRO if XDP is enabled. + +Fixes: 86994156c736 ("net/mlx5e: XDP fast RX drop bpf programs support") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 16e98ac47624..d9cc0ed6c5f7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4009,6 +4009,13 @@ static netdev_features_t mlx5e_fix_features(struct net_device *netdev, + } + } + ++ if (params->xdp_prog) { ++ if (features & NETIF_F_LRO) { ++ netdev_warn(netdev, "LRO is incompatible with XDP\n"); ++ features &= ~NETIF_F_LRO; ++ } ++ } ++ + if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS)) { + features &= ~NETIF_F_RXHASH; + if (netdev->features & NETIF_F_RXHASH) +-- +2.35.1 + diff --git a/queue-5.10/net-qla3xxx-fix-a-test-in-ql_reset_work.patch b/queue-5.10/net-qla3xxx-fix-a-test-in-ql_reset_work.patch new file mode 100644 index 00000000000..b9bde34e508 --- /dev/null +++ b/queue-5.10/net-qla3xxx-fix-a-test-in-ql_reset_work.patch @@ -0,0 +1,48 @@ +From 1485ac36655f62bd96771bf6b48404a89c323137 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 20:07:02 +0200 +Subject: net/qla3xxx: Fix a test in ql_reset_work() + +From: Christophe JAILLET + +[ Upstream commit 5361448e45fac6fb96738df748229432a62d78b6 ] + +test_bit() tests if one bit is set or not. +Here the logic seems to check of bit QL_RESET_PER_SCSI (i.e. 4) OR bit +QL_RESET_START (i.e. 3) is set. + +In fact, it checks if bit 7 (4 | 3 = 7) is set, that is to say +QL_ADAPTER_UP. + +This looks harmless, because this bit is likely be set, and when the +ql_reset_work() delayed work is scheduled in ql3xxx_isr() (the only place +that schedule this work), QL_RESET_START or QL_RESET_PER_SCSI is set. + +This has been spotted by smatch. + +Fixes: 5a4faa873782 ("[PATCH] qla3xxx NIC driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/80e73e33f390001d9c0140ffa9baddf6466a41a2.1652637337.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index c9f32fc50254..2219e4c59ae6 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -3628,7 +3628,8 @@ static void ql_reset_work(struct work_struct *work) + qdev->mem_map_registers; + unsigned long hw_flags; + +- if (test_bit((QL_RESET_PER_SCSI | QL_RESET_START), &qdev->flags)) { ++ if (test_bit(QL_RESET_PER_SCSI, &qdev->flags) || ++ test_bit(QL_RESET_START, &qdev->flags)) { + clear_bit(QL_LINK_MASTER, &qdev->flags); + + /* +-- +2.35.1 + diff --git a/queue-5.10/net-sched-act_pedit-sanitize-shift-argument-before-u.patch b/queue-5.10/net-sched-act_pedit-sanitize-shift-argument-before-u.patch new file mode 100644 index 00000000000..c835bffcbaa --- /dev/null +++ b/queue-5.10/net-sched-act_pedit-sanitize-shift-argument-before-u.patch @@ -0,0 +1,84 @@ +From 6c25517e79be2565dae8208f8b19f2ca6c24f8e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 11:27:06 +0200 +Subject: net/sched: act_pedit: sanitize shift argument before usage + +From: Paolo Abeni + +[ Upstream commit 4d42d54a7d6aa6d29221d3fd4f2ae9503e94f011 ] + +syzbot was able to trigger an Out-of-Bound on the pedit action: + +UBSAN: shift-out-of-bounds in net/sched/act_pedit.c:238:43 +shift exponent 1400735974 is too large for 32-bit type 'unsigned int' +CPU: 0 PID: 3606 Comm: syz-executor151 Not tainted 5.18.0-rc5-syzkaller-00165-g810c2f0a3f86 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + ubsan_epilogue+0xb/0x50 lib/ubsan.c:151 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322 + tcf_pedit_init.cold+0x1a/0x1f net/sched/act_pedit.c:238 + tcf_action_init_1+0x414/0x690 net/sched/act_api.c:1367 + tcf_action_init+0x530/0x8d0 net/sched/act_api.c:1432 + tcf_action_add+0xf9/0x480 net/sched/act_api.c:1956 + tc_ctl_action+0x346/0x470 net/sched/act_api.c:2015 + rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5993 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:725 + ____sys_sendmsg+0x6e2/0x800 net/socket.c:2413 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7fe36e9e1b59 +Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffef796fe88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe36e9e1b59 +RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 +RBP: 00007fe36e9a5d00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe36e9a5d90 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +The 'shift' field is not validated, and any value above 31 will +trigger out-of-bounds. The issue predates the git history, but +syzbot was able to trigger it only after the commit mentioned in +the fixes tag, and this change only applies on top of such commit. + +Address the issue bounding the 'shift' value to the maximum allowed +by the relevant operator. + +Reported-and-tested-by: syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com +Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_pedit.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c +index 90510298b32a..0d5463ddfd62 100644 +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -232,6 +232,10 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, + for (i = 0; i < p->tcfp_nkeys; ++i) { + u32 cur = p->tcfp_keys[i].off; + ++ /* sanitize the shift value for any later use */ ++ p->tcfp_keys[i].shift = min_t(size_t, BITS_PER_TYPE(int) - 1, ++ p->tcfp_keys[i].shift); ++ + /* The AT option can read a single byte, we can bound the actual + * value with uchar max. + */ +-- +2.35.1 + diff --git a/queue-5.10/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch b/queue-5.10/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch new file mode 100644 index 00000000000..58b95a2da91 --- /dev/null +++ b/queue-5.10/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch @@ -0,0 +1,46 @@ +From 6fb1c8179f46759cf59e21228441e248ae0e4df6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 11:13:16 +0800 +Subject: net: stmmac: fix missing pci_disable_device() on error in + stmmac_pci_probe() + +From: Yang Yingliang + +[ Upstream commit 0807ce0b010418a191e0e4009803b2d74c3245d5 ] + +Switch to using pcim_enable_device() to avoid missing pci_disable_device(). + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220510031316.1780409-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +index 272cb47af9f2..a7a1227c9b92 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +@@ -175,7 +175,7 @@ static int stmmac_pci_probe(struct pci_dev *pdev, + return -ENOMEM; + + /* Enable pci device */ +- ret = pci_enable_device(pdev); ++ ret = pcim_enable_device(pdev); + if (ret) { + dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n", + __func__); +@@ -227,8 +227,6 @@ static void stmmac_pci_remove(struct pci_dev *pdev) + pcim_iounmap_regions(pdev, BIT(i)); + break; + } +- +- pci_disable_device(pdev); + } + + static int __maybe_unused stmmac_pci_suspend(struct device *dev) +-- +2.35.1 + diff --git a/queue-5.10/net-systemport-fix-an-error-handling-path-in-bcm_sys.patch b/queue-5.10/net-systemport-fix-an-error-handling-path-in-bcm_sys.patch new file mode 100644 index 00000000000..2f3ee0635ac --- /dev/null +++ b/queue-5.10/net-systemport-fix-an-error-handling-path-in-bcm_sys.patch @@ -0,0 +1,44 @@ +From 9f9b5d4284987be44134ff36af882f9b4937f819 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 19:01:56 +0200 +Subject: net: systemport: Fix an error handling path in bcm_sysport_probe() + +From: Christophe JAILLET + +[ Upstream commit ef6b1cd11962aec21c58d137006ab122dbc8d6fd ] + +if devm_clk_get_optional() fails, we still need to go through the error +handling path. + +Add the missing goto. + +Fixes: 6328a126896ea ("net: systemport: Manage Wake-on-LAN clock") +Signed-off-by: Christophe JAILLET +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/99d70634a81c229885ae9e4ee69b2035749f7edc.1652634040.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index 1a703b95208b..82d369d9f7a5 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -2592,8 +2592,10 @@ static int bcm_sysport_probe(struct platform_device *pdev) + device_set_wakeup_capable(&pdev->dev, 1); + + priv->wol_clk = devm_clk_get_optional(&pdev->dev, "sw_sysportwol"); +- if (IS_ERR(priv->wol_clk)) +- return PTR_ERR(priv->wol_clk); ++ if (IS_ERR(priv->wol_clk)) { ++ ret = PTR_ERR(priv->wol_clk); ++ goto err_deregister_fixed_link; ++ } + + /* Set the needed headroom once and for all */ + BUILD_BUG_ON(sizeof(struct bcm_tsb) != 8); +-- +2.35.1 + diff --git a/queue-5.10/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch b/queue-5.10/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch new file mode 100644 index 00000000000..7317f0a6510 --- /dev/null +++ b/queue-5.10/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch @@ -0,0 +1,68 @@ +From ef395f7471f3dfa1af9444e7330dc52bd30eacd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 May 2022 13:07:11 +0800 +Subject: net: vmxnet3: fix possible NULL pointer dereference in + vmxnet3_rq_cleanup() + +From: Zixuan Fu + +[ Upstream commit edf410cb74dc612fd47ef5be319c5a0bcd6e6ccd ] + +In vmxnet3_rq_create(), when dma_alloc_coherent() fails, +vmxnet3_rq_destroy() is called. It sets rq->rx_ring[i].base to NULL. Then +vmxnet3_rq_create() returns an error to its callers mxnet3_rq_create_all() +-> vmxnet3_change_mtu(). Then vmxnet3_change_mtu() calls +vmxnet3_force_close() -> dev_close() in error handling code. And the driver +calls vmxnet3_close() -> vmxnet3_quiesce_dev() -> vmxnet3_rq_cleanup_all() +-> vmxnet3_rq_cleanup(). In vmxnet3_rq_cleanup(), +rq->rx_ring[ring_idx].base is accessed, but this variable is NULL, causing +a NULL pointer dereference. + +To fix this possible bug, an if statement is added to check whether +rq->rx_ring[0].base is NULL in vmxnet3_rq_cleanup() and exit early if so. + +The error log in our fault-injection testing is shown as follows: + +[ 65.220135] BUG: kernel NULL pointer dereference, address: 0000000000000008 +... +[ 65.222633] RIP: 0010:vmxnet3_rq_cleanup_all+0x396/0x4e0 [vmxnet3] +... +[ 65.227977] Call Trace: +... +[ 65.228262] vmxnet3_quiesce_dev+0x80f/0x8a0 [vmxnet3] +[ 65.228580] vmxnet3_close+0x2c4/0x3f0 [vmxnet3] +[ 65.228866] __dev_close_many+0x288/0x350 +[ 65.229607] dev_close_many+0xa4/0x480 +[ 65.231124] dev_close+0x138/0x230 +[ 65.231933] vmxnet3_force_close+0x1f0/0x240 [vmxnet3] +[ 65.232248] vmxnet3_change_mtu+0x75d/0x920 [vmxnet3] +... + +Fixes: d1a890fa37f27 ("net: VMware virtual Ethernet NIC driver: vmxnet3") +Reported-by: TOTE Robot +Signed-off-by: Zixuan Fu +Link: https://lore.kernel.org/r/20220514050711.2636709-1-r33s3n6@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 530d555988ae..6678a734cc4d 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1656,6 +1656,10 @@ vmxnet3_rq_cleanup(struct vmxnet3_rx_queue *rq, + u32 i, ring_idx; + struct Vmxnet3_RxDesc *rxd; + ++ /* ring has already been cleaned up */ ++ if (!rq->rx_ring[0].base) ++ return; ++ + for (ring_idx = 0; ring_idx < 2; ring_idx++) { + for (i = 0; i < rq->rx_ring[ring_idx].size; i++) { + #ifdef __BIG_ENDIAN_BITFIELD +-- +2.35.1 + diff --git a/queue-5.10/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch b/queue-5.10/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch new file mode 100644 index 00000000000..30b58500b7e --- /dev/null +++ b/queue-5.10/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch @@ -0,0 +1,94 @@ +From 2205982c5306e63bf18d88faf6114316f4ea4c63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 May 2022 13:06:56 +0800 +Subject: net: vmxnet3: fix possible use-after-free bugs in + vmxnet3_rq_alloc_rx_buf() + +From: Zixuan Fu + +[ Upstream commit 9e7fef9521e73ca8afd7da9e58c14654b02dfad8 ] + +In vmxnet3_rq_alloc_rx_buf(), when dma_map_single() fails, rbi->skb is +freed immediately. Similarly, in another branch, when dma_map_page() fails, +rbi->page is also freed. In the two cases, vmxnet3_rq_alloc_rx_buf() +returns an error to its callers vmxnet3_rq_init() -> vmxnet3_rq_init_all() +-> vmxnet3_activate_dev(). Then vmxnet3_activate_dev() calls +vmxnet3_rq_cleanup_all() in error handling code, and rbi->skb or rbi->page +are freed again in vmxnet3_rq_cleanup_all(), causing use-after-free bugs. + +To fix these possible bugs, rbi->skb and rbi->page should be cleared after +they are freed. + +The error log in our fault-injection testing is shown as follows: + +[ 14.319016] BUG: KASAN: use-after-free in consume_skb+0x2f/0x150 +... +[ 14.321586] Call Trace: +... +[ 14.325357] consume_skb+0x2f/0x150 +[ 14.325671] vmxnet3_rq_cleanup_all+0x33a/0x4e0 [vmxnet3] +[ 14.326150] vmxnet3_activate_dev+0xb9d/0x2ca0 [vmxnet3] +[ 14.326616] vmxnet3_open+0x387/0x470 [vmxnet3] +... +[ 14.361675] Allocated by task 351: +... +[ 14.362688] __netdev_alloc_skb+0x1b3/0x6f0 +[ 14.362960] vmxnet3_rq_alloc_rx_buf+0x1b0/0x8d0 [vmxnet3] +[ 14.363317] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3] +[ 14.363661] vmxnet3_open+0x387/0x470 [vmxnet3] +... +[ 14.367309] +[ 14.367412] Freed by task 351: +... +[ 14.368932] __dev_kfree_skb_any+0xd2/0xe0 +[ 14.369193] vmxnet3_rq_alloc_rx_buf+0x71e/0x8d0 [vmxnet3] +[ 14.369544] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3] +[ 14.369883] vmxnet3_open+0x387/0x470 [vmxnet3] +[ 14.370174] __dev_open+0x28a/0x420 +[ 14.370399] __dev_change_flags+0x192/0x590 +[ 14.370667] dev_change_flags+0x7a/0x180 +[ 14.370919] do_setlink+0xb28/0x3570 +[ 14.371150] rtnl_newlink+0x1160/0x1740 +[ 14.371399] rtnetlink_rcv_msg+0x5bf/0xa50 +[ 14.371661] netlink_rcv_skb+0x1cd/0x3e0 +[ 14.371913] netlink_unicast+0x5dc/0x840 +[ 14.372169] netlink_sendmsg+0x856/0xc40 +[ 14.372420] ____sys_sendmsg+0x8a7/0x8d0 +[ 14.372673] __sys_sendmsg+0x1c2/0x270 +[ 14.372914] do_syscall_64+0x41/0x90 +[ 14.373145] entry_SYSCALL_64_after_hwframe+0x44/0xae +... + +Fixes: 5738a09d58d5a ("vmxnet3: fix checks for dma mapping errors") +Reported-by: TOTE Robot +Signed-off-by: Zixuan Fu +Link: https://lore.kernel.org/r/20220514050656.2636588-1-r33s3n6@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 932a39945cc6..530d555988ae 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -595,6 +595,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx, + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + dev_kfree_skb_any(rbi->skb); ++ rbi->skb = NULL; + rq->stats.rx_buf_alloc_failure++; + break; + } +@@ -619,6 +620,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx, + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + put_page(rbi->page); ++ rbi->page = NULL; + rq->stats.rx_buf_alloc_failure++; + break; + } +-- +2.35.1 + diff --git a/queue-5.10/net-xfrm-fix-shift-out-of-bounce.patch b/queue-5.10/net-xfrm-fix-shift-out-of-bounce.patch new file mode 100644 index 00000000000..98d97216c47 --- /dev/null +++ b/queue-5.10/net-xfrm-fix-shift-out-of-bounce.patch @@ -0,0 +1,60 @@ +From 9b89a0868d94e7c306455d222bdd32b2500e0c17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 19:38:18 +0300 +Subject: net: xfrm: fix shift-out-of-bounce + +From: Pavel Skripkin + +[ Upstream commit 5d8dbb7fb82b8661c16d496644b931c0e2e3a12e ] + +We need to check up->dirmask to avoid shift-out-of-bounce bug, +since up->dirmask comes from userspace. + +Also, added XFRM_USERPOLICY_DIRMASK_MAX constant to uapi to inform +user-space that up->dirmask has maximum possible value + +Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") +Reported-and-tested-by: syzbot+9cd5837a045bbee5b810@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/uapi/linux/xfrm.h | 1 + + net/xfrm/xfrm_user.c | 7 ++++++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h +index b963e1acf65a..2a2c4dcb015f 100644 +--- a/include/uapi/linux/xfrm.h ++++ b/include/uapi/linux/xfrm.h +@@ -521,6 +521,7 @@ struct xfrm_user_offload { + #define XFRM_OFFLOAD_INBOUND 2 + + struct xfrm_userpolicy_default { ++#define XFRM_USERPOLICY_DIRMASK_MAX (sizeof(__u8) * 8) + __u8 dirmask; + __u8 action; + }; +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index dec24f280e83..026f29f80f88 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1919,9 +1919,14 @@ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, + { + struct net *net = sock_net(skb->sk); + struct xfrm_userpolicy_default *up = nlmsg_data(nlh); +- u8 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK; ++ u8 dirmask; + u8 old_default = net->xfrm.policy_default; + ++ if (up->dirmask >= XFRM_USERPOLICY_DIRMASK_MAX) ++ return -EINVAL; ++ ++ dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK; ++ + net->xfrm.policy_default = (old_default & (0xff ^ dirmask)) + | (up->action << up->dirmask); + +-- +2.35.1 + diff --git a/queue-5.10/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch b/queue-5.10/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch new file mode 100644 index 00000000000..534bda0a9bb --- /dev/null +++ b/queue-5.10/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch @@ -0,0 +1,81 @@ +From aa7427d8063b25fd0cfb10ecd66ed63e2d301bb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 09:25:30 +0800 +Subject: NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc + +From: Duoming Zhou + +[ Upstream commit 23dd4581350d4ffa23d58976ec46408f8f4c1e16 ] + +There are sleep in atomic context bugs when the request to secure +element of st-nci is timeout. The root cause is that nci_skb_alloc +with GFP_KERNEL parameter is called in st_nci_se_wt_timeout which is +a timer handler. The call paths that could trigger bugs are shown below: + + (interrupt context 1) +st_nci_se_wt_timeout + nci_hci_send_event + nci_hci_send_data + nci_skb_alloc(..., GFP_KERNEL) //may sleep + + (interrupt context 2) +st_nci_se_wt_timeout + nci_hci_send_event + nci_hci_send_data + nci_send_data + nci_queue_tx_data_frags + nci_skb_alloc(..., GFP_KERNEL) //may sleep + +This patch changes allocation mode of nci_skb_alloc from GFP_KERNEL to +GFP_ATOMIC in order to prevent atomic context sleeping. The GFP_ATOMIC +flag makes memory allocation operation could be used in atomic context. + +Fixes: ed06aeefdac3 ("nfc: st-nci: Rename st21nfcb to st-nci") +Signed-off-by: Duoming Zhou +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220517012530.75714-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/nci/data.c | 2 +- + net/nfc/nci/hci.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c +index ce3382be937f..b002e18f38c8 100644 +--- a/net/nfc/nci/data.c ++++ b/net/nfc/nci/data.c +@@ -118,7 +118,7 @@ static int nci_queue_tx_data_frags(struct nci_dev *ndev, + + skb_frag = nci_skb_alloc(ndev, + (NCI_DATA_HDR_SIZE + frag_len), +- GFP_KERNEL); ++ GFP_ATOMIC); + if (skb_frag == NULL) { + rc = -ENOMEM; + goto free_exit; +diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c +index 04e55ccb3383..4fe336ff2bfa 100644 +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -153,7 +153,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + + i = 0; + skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len + +- NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ NCI_DATA_HDR_SIZE, GFP_ATOMIC); + if (!skb) + return -ENOMEM; + +@@ -186,7 +186,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + if (i < data_len) { + skb = nci_skb_alloc(ndev, + conn_info->max_pkt_payload_len + +- NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ NCI_DATA_HDR_SIZE, GFP_ATOMIC); + if (!skb) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-5.10/nl80211-fix-locking-in-nl80211_set_tx_bitrate_mask.patch b/queue-5.10/nl80211-fix-locking-in-nl80211_set_tx_bitrate_mask.patch new file mode 100644 index 00000000000..82620bcca63 --- /dev/null +++ b/queue-5.10/nl80211-fix-locking-in-nl80211_set_tx_bitrate_mask.patch @@ -0,0 +1,53 @@ +From d079b79f60ab9a4eac15d88919c4040714af86f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 10:21:38 +0200 +Subject: nl80211: fix locking in nl80211_set_tx_bitrate_mask() + +From: Johannes Berg + +[ Upstream commit f971e1887fdb3ab500c9bebf4b98f62d49a20655 ] + +This accesses the wdev's chandef etc., so cannot safely +be used without holding the lock. + +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20220506102136.06b7205419e6.I2a87c05fbd8bc5e565e84d190d4cfd2e92695a90@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 283447df5fc6..f8d5f35cfc66 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -11095,18 +11095,23 @@ static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb, + struct cfg80211_bitrate_mask mask; + struct cfg80211_registered_device *rdev = info->user_ptr[0]; + struct net_device *dev = info->user_ptr[1]; ++ struct wireless_dev *wdev = dev->ieee80211_ptr; + int err; + + if (!rdev->ops->set_bitrate_mask) + return -EOPNOTSUPP; + ++ wdev_lock(wdev); + err = nl80211_parse_tx_bitrate_mask(info, info->attrs, + NL80211_ATTR_TX_RATES, &mask, + dev); + if (err) +- return err; ++ goto out; + +- return rdev_set_bitrate_mask(rdev, dev, NULL, &mask); ++ err = rdev_set_bitrate_mask(rdev, dev, NULL, &mask); ++out: ++ wdev_unlock(wdev); ++ return err; + } + + static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info) +-- +2.35.1 + diff --git a/queue-5.10/nl80211-validate-s1g-channel-width.patch b/queue-5.10/nl80211-validate-s1g-channel-width.patch new file mode 100644 index 00000000000..2d8c842b330 --- /dev/null +++ b/queue-5.10/nl80211-validate-s1g-channel-width.patch @@ -0,0 +1,44 @@ +From ad81c9229abd9e56203958f98d393266b5bd38a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 04:13:21 +0000 +Subject: nl80211: validate S1G channel width + +From: Kieran Frewen + +[ Upstream commit 5d087aa759eb82b8208411913f6c2158bd85abc0 ] + +Validate the S1G channel width input by user to ensure it matches +that of the requested channel + +Signed-off-by: Kieran Frewen +Signed-off-by: Bassem Dawood +Link: https://lore.kernel.org/r/20220420041321.3788789-2-kieran.frewen@morsemicro.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 12f44ad4e0d8..283447df5fc6 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -2955,6 +2955,15 @@ int nl80211_parse_chandef(struct cfg80211_registered_device *rdev, + } else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) { + chandef->width = + nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]); ++ if (chandef->chan->band == NL80211_BAND_S1GHZ) { ++ /* User input error for channel width doesn't match channel */ ++ if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) { ++ NL_SET_ERR_MSG_ATTR(extack, ++ attrs[NL80211_ATTR_CHANNEL_WIDTH], ++ "bad channel width"); ++ return -EINVAL; ++ } ++ } + if (attrs[NL80211_ATTR_CENTER_FREQ1]) { + chandef->center_freq1 = + nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]); +-- +2.35.1 + diff --git a/queue-5.10/perf-bench-numa-address-compiler-error-on-s390.patch b/queue-5.10/perf-bench-numa-address-compiler-error-on-s390.patch new file mode 100644 index 00000000000..69b176e48bb --- /dev/null +++ b/queue-5.10/perf-bench-numa-address-compiler-error-on-s390.patch @@ -0,0 +1,67 @@ +From b15d853bb376c132daf78b713b519b8d92e225ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 10:11:58 +0200 +Subject: perf bench numa: Address compiler error on s390 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Richter + +[ Upstream commit f8ac1c478424a9a14669b8cef7389b1e14e5229d ] + +The compilation on s390 results in this error: + + # make DEBUG=y bench/numa.o + ... + bench/numa.c: In function ‘__bench_numa’: + bench/numa.c:1749:81: error: ‘%d’ directive output may be truncated + writing between 1 and 11 bytes into a region of size between + 10 and 20 [-Werror=format-truncation=] + 1749 | snprintf(tname, sizeof(tname), "process%d:thread%d", p, t); + ^~ + ... + bench/numa.c:1749:64: note: directive argument in the range + [-2147483647, 2147483646] + ... + # + +The maximum length of the %d replacement is 11 characters because of the +negative sign. Therefore extend the array by two more characters. + +Output after: + + # make DEBUG=y bench/numa.o > /dev/null 2>&1; ll bench/numa.o + -rw-r--r-- 1 root root 418320 May 19 09:11 bench/numa.o + # + +Fixes: 3aff8ba0a4c9c919 ("perf bench numa: Avoid possible truncation when using snprintf()") +Suggested-by: Namhyung Kim +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Sumanth Korikkar +Cc: Sven Schnelle +Cc: Vasily Gorbik +Link: https://lore.kernel.org/r/20220520081158.2990006-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/bench/numa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c +index 11726ec6285f..88c11305bdd5 100644 +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -1656,7 +1656,7 @@ static int __bench_numa(const char *name) + "GB/sec,", "total-speed", "GB/sec total speed"); + + if (g->p.show_details >= 2) { +- char tname[14 + 2 * 10 + 1]; ++ char tname[14 + 2 * 11 + 1]; + struct thread_data *td; + for (p = 0; p < g->p.nr_proc; p++) { + for (t = 0; t < g->p.nr_threads; t++) { +-- +2.35.1 + diff --git a/queue-5.10/perf-regs-x86-fix-arch__intr_reg_mask-for-the-hybrid.patch b/queue-5.10/perf-regs-x86-fix-arch__intr_reg_mask-for-the-hybrid.patch new file mode 100644 index 00000000000..948d810f95d --- /dev/null +++ b/queue-5.10/perf-regs-x86-fix-arch__intr_reg_mask-for-the-hybrid.patch @@ -0,0 +1,90 @@ +From 10bf5d52d5249495c5699560235c43dd5341c114 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 07:51:25 -0700 +Subject: perf regs x86: Fix arch__intr_reg_mask() for the hybrid platform + +From: Kan Liang + +[ Upstream commit 01b28e4a58152e8906eeb5f1b55a0c404c48c7c8 ] + +The X86 specific arch__intr_reg_mask() is to check whether the kernel +and hardware can collect XMM registers. But it doesn't work on some +hybrid platform. + +Without the patch on ADL-N: + + $ perf record -I? + available registers: AX BX CX DX SI DI BP SP IP FLAGS CS SS R8 R9 R10 + R11 R12 R13 R14 R15 + +The config of the test event doesn't contain the PMU information. The +kernel may fail to initialize it on the correct hybrid PMU and return +the wrong non-supported information. + +Add the PMU information into the config for the hybrid platform. The +same register set is supported among different hybrid PMUs. Checking +the first available one is good enough. + +With the patch on ADL-N: + + $ perf record -I? + available registers: AX BX CX DX SI DI BP SP IP FLAGS CS SS R8 R9 R10 + R11 R12 R13 R14 R15 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 XMM7 XMM8 XMM9 + XMM10 XMM11 XMM12 XMM13 XMM14 XMM15 + +Fixes: 6466ec14aaf44ff1 ("perf regs x86: Add X86 specific arch__intr_reg_mask()") +Reported-by: Ammy Yi +Signed-off-by: Kan Liang +Acked-by: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Xing Zhengjun +Link: https://lore.kernel.org/r/20220518145125.1494156-1-kan.liang@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/x86/util/perf_regs.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/tools/perf/arch/x86/util/perf_regs.c b/tools/perf/arch/x86/util/perf_regs.c +index fca81b39b09f..c46e2920e460 100644 +--- a/tools/perf/arch/x86/util/perf_regs.c ++++ b/tools/perf/arch/x86/util/perf_regs.c +@@ -9,6 +9,8 @@ + #include "../../../util/perf_regs.h" + #include "../../../util/debug.h" + #include "../../../util/event.h" ++#include "../../../util/pmu.h" ++#include "../../../util/pmu-hybrid.h" + + const struct sample_reg sample_reg_masks[] = { + SMPL_REG(AX, PERF_REG_X86_AX), +@@ -284,12 +286,22 @@ uint64_t arch__intr_reg_mask(void) + .disabled = 1, + .exclude_kernel = 1, + }; ++ struct perf_pmu *pmu; + int fd; + /* + * In an unnamed union, init it here to build on older gcc versions + */ + attr.sample_period = 1; + ++ if (perf_pmu__has_hybrid()) { ++ /* ++ * The same register set is supported among different hybrid PMUs. ++ * Only check the first available one. ++ */ ++ pmu = list_first_entry(&perf_pmu__hybrid_pmus, typeof(*pmu), hybrid_list); ++ attr.config |= (__u64)pmu->type << PERF_PMU_TYPE_SHIFT; ++ } ++ + event_attr_init(&attr); + + fd = sys_perf_event_open(&attr, 0, -1, -1, 0); +-- +2.35.1 + diff --git a/queue-5.10/pinctrl-pinctrl-aspeed-g6-remove-fwqspid-group-in-pi.patch b/queue-5.10/pinctrl-pinctrl-aspeed-g6-remove-fwqspid-group-in-pi.patch new file mode 100644 index 00000000000..ba0dcdee959 --- /dev/null +++ b/queue-5.10/pinctrl-pinctrl-aspeed-g6-remove-fwqspid-group-in-pi.patch @@ -0,0 +1,71 @@ +From 1a9e3e022ce9fa67db143731927e8d171b0af32d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Mar 2022 10:39:27 -0700 +Subject: pinctrl: pinctrl-aspeed-g6: remove FWQSPID group in pinctrl + +From: Jae Hyun Yoo + +[ Upstream commit 3eef2f48ba0933ba995529f522554ad5c276c39b ] + +FWSPIDQ2 and FWSPIDQ3 are not part of FWSPI18 interface so remove +FWQSPID group in pinctrl. These pins must be used with the FWSPI +pins that are dedicated for boot SPI interface which provides +same 3.3v logic level. + +Fixes: 2eda1cdec49f ("pinctrl: aspeed: Add AST2600 pinmux support") +Signed-off-by: Jae Hyun Yoo +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20220329173932.2588289-3-quic_jaehyoo@quicinc.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c b/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c +index 5c1a109842a7..c2ba4064ce5b 100644 +--- a/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c ++++ b/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c +@@ -1224,18 +1224,12 @@ FUNC_GROUP_DECL(SALT8, AA12); + FUNC_GROUP_DECL(WDTRST4, AA12); + + #define AE12 196 +-SIG_EXPR_LIST_DECL_SEMG(AE12, FWSPIDQ2, FWQSPID, FWSPID, +- SIG_DESC_SET(SCU438, 4)); + SIG_EXPR_LIST_DECL_SESG(AE12, GPIOY4, GPIOY4); +-PIN_DECL_(AE12, SIG_EXPR_LIST_PTR(AE12, FWSPIDQ2), +- SIG_EXPR_LIST_PTR(AE12, GPIOY4)); ++PIN_DECL_(AE12, SIG_EXPR_LIST_PTR(AE12, GPIOY4)); + + #define AF12 197 +-SIG_EXPR_LIST_DECL_SEMG(AF12, FWSPIDQ3, FWQSPID, FWSPID, +- SIG_DESC_SET(SCU438, 5)); + SIG_EXPR_LIST_DECL_SESG(AF12, GPIOY5, GPIOY5); +-PIN_DECL_(AF12, SIG_EXPR_LIST_PTR(AF12, FWSPIDQ3), +- SIG_EXPR_LIST_PTR(AF12, GPIOY5)); ++PIN_DECL_(AF12, SIG_EXPR_LIST_PTR(AF12, GPIOY5)); + + #define AC12 198 + SSSF_PIN_DECL(AC12, GPIOY6, FWSPIABR, SIG_DESC_SET(SCU438, 6)); +@@ -1508,9 +1502,8 @@ SIG_EXPR_LIST_DECL_SEMG(Y4, EMMCDAT7, EMMCG8, EMMC, SIG_DESC_SET(SCU404, 3)); + PIN_DECL_3(Y4, GPIO18E3, FWSPIDMISO, VBMISO, EMMCDAT7); + + GROUP_DECL(FWSPID, Y1, Y2, Y3, Y4); +-GROUP_DECL(FWQSPID, Y1, Y2, Y3, Y4, AE12, AF12); + GROUP_DECL(EMMCG8, AB4, AA4, AC4, AA5, Y5, AB5, AB6, AC5, Y1, Y2, Y3, Y4); +-FUNC_DECL_2(FWSPID, FWSPID, FWQSPID); ++FUNC_DECL_1(FWSPID, FWSPID); + FUNC_GROUP_DECL(VB, Y1, Y2, Y3, Y4); + FUNC_DECL_3(EMMC, EMMCG1, EMMCG4, EMMCG8); + /* +@@ -1906,7 +1899,6 @@ static const struct aspeed_pin_group aspeed_g6_groups[] = { + ASPEED_PINCTRL_GROUP(FSI2), + ASPEED_PINCTRL_GROUP(FWSPIABR), + ASPEED_PINCTRL_GROUP(FWSPID), +- ASPEED_PINCTRL_GROUP(FWQSPID), + ASPEED_PINCTRL_GROUP(FWSPIWP), + ASPEED_PINCTRL_GROUP(GPIT0), + ASPEED_PINCTRL_GROUP(GPIT1), +-- +2.35.1 + diff --git a/queue-5.10/riscv-dts-sifive-fu540-c000-align-dma-node-name-with.patch b/queue-5.10/riscv-dts-sifive-fu540-c000-align-dma-node-name-with.patch new file mode 100644 index 00000000000..889322c01c6 --- /dev/null +++ b/queue-5.10/riscv-dts-sifive-fu540-c000-align-dma-node-name-with.patch @@ -0,0 +1,38 @@ +From b0ea55e2275f9a8ef83307422f83730ab3fe32d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 21:38:56 +0200 +Subject: riscv: dts: sifive: fu540-c000: align dma node name with dtschema + +From: Krzysztof Kozlowski + +[ Upstream commit b17410182b6f98191fbf7f42d3b4a78512769d29 ] + +Fixes dtbs_check warnings like: + + dma@3000000: $nodename:0: 'dma@3000000' does not match '^dma-controller(@.*)?$' + +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220407193856.18223-1-krzysztof.kozlowski@linaro.org +Fixes: c5ab54e9945b ("riscv: dts: add support for PDMA device of HiFive Unleashed Rev A00") +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/boot/dts/sifive/fu540-c000.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/boot/dts/sifive/fu540-c000.dtsi b/arch/riscv/boot/dts/sifive/fu540-c000.dtsi +index 7db861053483..64c06c9b41dc 100644 +--- a/arch/riscv/boot/dts/sifive/fu540-c000.dtsi ++++ b/arch/riscv/boot/dts/sifive/fu540-c000.dtsi +@@ -166,7 +166,7 @@ uart0: serial@10010000 { + clocks = <&prci PRCI_CLK_TLCLK>; + status = "disabled"; + }; +- dma: dma@3000000 { ++ dma: dma-controller@3000000 { + compatible = "sifive,fu540-c000-pdma"; + reg = <0x0 0x3000000 0x0 0x8000>; + interrupt-parent = <&plic0>; +-- +2.35.1 + diff --git a/queue-5.10/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch b/queue-5.10/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch new file mode 100644 index 00000000000..b8a373b4eb7 --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch @@ -0,0 +1,51 @@ +From 21fe2d4b22436d2b76598839bdba28c1fd3ab866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 12:42:29 +0000 +Subject: scsi: qla2xxx: Fix missed DMA unmap for aborted commands + +From: Gleb Chesnokov + +[ Upstream commit 26f9ce53817a8fd84b69a73473a7de852a24c897 ] + +Aborting commands that have already been sent to the firmware can +cause BUG in qlt_free_cmd(): BUG_ON(cmd->sg_mapped) + +For instance: + + - Command passes rdx_to_xfer state, maps sgl, sends to the firmware + + - Reset occurs, qla2xxx performs ISP error recovery, aborts the command + + - Target stack calls qlt_abort_cmd() and then qlt_free_cmd() + + - BUG_ON(cmd->sg_mapped) in qlt_free_cmd() occurs because sgl was not + unmapped + +Thus, unmap sgl in qlt_abort_cmd() for commands with the aborted flag set. + +Link: https://lore.kernel.org/r/AS8PR10MB4952D545F84B6B1DFD39EC1E9DEE9@AS8PR10MB4952.EURPRD10.PROD.OUTLOOK.COM +Reviewed-by: Himanshu Madhani +Signed-off-by: Gleb Chesnokov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_target.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index cf9ae0ab489a..ba823e8eb902 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -3773,6 +3773,9 @@ int qlt_abort_cmd(struct qla_tgt_cmd *cmd) + + spin_lock_irqsave(&cmd->cmd_lock, flags); + if (cmd->aborted) { ++ if (cmd->sg_mapped) ++ qlt_unmap_sg(vha, cmd); ++ + spin_unlock_irqrestore(&cmd->cmd_lock, flags); + /* + * It's normal to see 2 calls in this path: +-- +2.35.1 + diff --git a/queue-5.10/selftests-add-ping-test-with-ping_group_range-tuned.patch b/queue-5.10/selftests-add-ping-test-with-ping_group_range-tuned.patch new file mode 100644 index 00000000000..b6d97861c28 --- /dev/null +++ b/queue-5.10/selftests-add-ping-test-with-ping_group_range-tuned.patch @@ -0,0 +1,67 @@ +From c734f137c667d28c0ac0c034b4da37c3d485eeb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 May 2022 11:07:39 +0200 +Subject: selftests: add ping test with ping_group_range tuned + +From: Nicolas Dichtel + +[ Upstream commit e71b7f1f44d3d88c677769c85ef0171caf9fc89f ] + +The 'ping' utility is able to manage two kind of sockets (raw or icmp), +depending on the sysctl ping_group_range. By default, ping_group_range is +set to '1 0', which forces ping to use an ip raw socket. + +Let's replay the ping tests by allowing 'ping' to use the ip icmp socket. +After the previous patch, ipv4 tests results are the same with both kinds +of socket. For ipv6, there are a lot a new failures (the previous patch +fixes only two cases). + +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fcnal-test.sh | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh +index ace976d89125..4a11ea2261cb 100755 +--- a/tools/testing/selftests/net/fcnal-test.sh ++++ b/tools/testing/selftests/net/fcnal-test.sh +@@ -794,10 +794,16 @@ ipv4_ping() + setup + set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null + ipv4_ping_novrf ++ setup ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv4_ping_novrf + + log_subsection "With VRF" + setup "yes" + ipv4_ping_vrf ++ setup "yes" ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv4_ping_vrf + } + + ################################################################################ +@@ -2261,10 +2267,16 @@ ipv6_ping() + log_subsection "No VRF" + setup + ipv6_ping_novrf ++ setup ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv6_ping_novrf + + log_subsection "With VRF" + setup "yes" + ipv6_ping_vrf ++ setup "yes" ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv6_ping_vrf + } + + ################################################################################ +-- +2.35.1 + diff --git a/queue-5.10/series b/queue-5.10/series index 9e42bfafd40..aaa1dd216fc 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -44,3 +44,47 @@ crypto-qcom-rng-fix-infinite-loop-on-requests-not-multiple-of-word_sz.patch libceph-fix-potential-use-after-free-on-linger-ping-and-resends.patch drm-dp-mst-fix-a-possible-memory-leak-in-fetch_monitor_name.patch dma-buf-fix-use-of-dma_buf_set_name_-a-b-in-userspace.patch +arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch +pinctrl-pinctrl-aspeed-g6-remove-fwqspid-group-in-pi.patch +arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch +net-ipa-record-proper-rx-transaction-count.patch +net-macb-increment-rx-bd-head-after-allocating-skb-a.patch +net-evaluate-net.ipvx.conf.all.disable_policy-and-di.patch +xfrm-add-possibility-to-set-the-default-to-block-if-.patch +net-xfrm-fix-shift-out-of-bounce.patch +xfrm-make-user-policy-api-complete.patch +xfrm-notify-default-policy-on-update.patch +xfrm-fix-dflt-policy-check-when-there-is-no-policy-c.patch +xfrm-rework-default-policy-structure.patch +xfrm-fix-disable_policy-flag-use-when-arriving-from-.patch +net-sched-act_pedit-sanitize-shift-argument-before-u.patch +net-systemport-fix-an-error-handling-path-in-bcm_sys.patch +net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch +net-vmxnet3-fix-possible-null-pointer-dereference-in.patch +ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch +clk-at91-generated-consider-range-when-calculating-b.patch +net-qla3xxx-fix-a-test-in-ql_reset_work.patch +nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch +net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch +net-af_key-add-check-for-pfkey_broadcast-in-function.patch +arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch +arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch +igb-skip-phy-status-check-where-unavailable.patch +net-bridge-clear-offload_fwd_mark-when-passing-frame.patch +riscv-dts-sifive-fu540-c000-align-dma-node-name-with.patch +gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch +gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch +perf-regs-x86-fix-arch__intr_reg_mask-for-the-hybrid.patch +perf-bench-numa-address-compiler-error-on-s390.patch +scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch +mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch +nl80211-validate-s1g-channel-width.patch +selftests-add-ping-test-with-ping_group_range-tuned.patch +nl80211-fix-locking-in-nl80211_set_tx_bitrate_mask.patch +ethernet-tulip-fix-missing-pci_disable_device-on-err.patch +net-stmmac-fix-missing-pci_disable_device-on-error-i.patch +net-atlantic-fix-frag-0-not-initialized.patch +net-atlantic-reduce-scope-of-is_rsc_complete.patch +net-atlantic-add-check-for-max_skb_frags.patch +net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch +arm64-enable-repeat-tlbi-workaround-on-kryo4xx-gold-.patch diff --git a/queue-5.10/xfrm-add-possibility-to-set-the-default-to-block-if-.patch b/queue-5.10/xfrm-add-possibility-to-set-the-default-to-block-if-.patch new file mode 100644 index 00000000000..d2362bd5044 --- /dev/null +++ b/queue-5.10/xfrm-add-possibility-to-set-the-default-to-block-if-.patch @@ -0,0 +1,264 @@ +From 6f525b6c711ecdf03673955632b7a3d82641b90c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 09:11:06 +0200 +Subject: xfrm: Add possibility to set the default to block if we have no + policy + +From: Steffen Klassert + +[ Upstream commit 2d151d39073aff498358543801fca0f670fea981 ] + +As the default we assume the traffic to pass, if we have no +matching IPsec policy. With this patch, we have a possibility to +change this default from allow to block. It can be configured +via netlink. Each direction (input/output/forward) can be +configured separately. With the default to block configuered, +we need allow policies for all packet flows we accept. +We do not use default policy lookup for the loopback device. + +v1->v2 + - fix compiling when XFRM is disabled + - Reported-by: kernel test robot + +Co-developed-by: Christian Langrock +Signed-off-by: Christian Langrock +Co-developed-by: Antony Antony +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/netns/xfrm.h | 7 ++++++ + include/net/xfrm.h | 36 ++++++++++++++++++++++----- + include/uapi/linux/xfrm.h | 10 ++++++++ + net/xfrm/xfrm_policy.c | 16 ++++++++++++ + net/xfrm/xfrm_user.c | 52 +++++++++++++++++++++++++++++++++++++++ + 5 files changed, 115 insertions(+), 6 deletions(-) + +diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h +index 22e1bc72b979..b694ff0963cc 100644 +--- a/include/net/netns/xfrm.h ++++ b/include/net/netns/xfrm.h +@@ -64,6 +64,13 @@ struct netns_xfrm { + u32 sysctl_aevent_rseqth; + int sysctl_larval_drop; + u32 sysctl_acq_expires; ++ ++ u8 policy_default; ++#define XFRM_POL_DEFAULT_IN 1 ++#define XFRM_POL_DEFAULT_OUT 2 ++#define XFRM_POL_DEFAULT_FWD 4 ++#define XFRM_POL_DEFAULT_MASK 7 ++ + #ifdef CONFIG_SYSCTL + struct ctl_table_header *sysctl_hdr; + #endif +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 0049a7459649..988886f95e5b 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1088,6 +1088,22 @@ xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, un + } + + #ifdef CONFIG_XFRM ++static inline bool ++xfrm_default_allow(struct net *net, int dir) ++{ ++ u8 def = net->xfrm.policy_default; ++ ++ switch (dir) { ++ case XFRM_POLICY_IN: ++ return def & XFRM_POL_DEFAULT_IN ? false : true; ++ case XFRM_POLICY_OUT: ++ return def & XFRM_POL_DEFAULT_OUT ? false : true; ++ case XFRM_POLICY_FWD: ++ return def & XFRM_POL_DEFAULT_FWD ? false : true; ++ } ++ return false; ++} ++ + int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, + unsigned short family); + +@@ -1101,9 +1117,13 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir, + if (sk && sk->sk_policy[XFRM_POLICY_IN]) + return __xfrm_policy_check(sk, ndir, skb, family); + +- return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) || +- (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) || +- __xfrm_policy_check(sk, ndir, skb, family); ++ if (xfrm_default_allow(net, dir)) ++ return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) || ++ (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) || ++ __xfrm_policy_check(sk, ndir, skb, family); ++ else ++ return (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) || ++ __xfrm_policy_check(sk, ndir, skb, family); + } + + static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) +@@ -1155,9 +1175,13 @@ static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) + { + struct net *net = dev_net(skb->dev); + +- return !net->xfrm.policy_count[XFRM_POLICY_OUT] || +- (skb_dst(skb)->flags & DST_NOXFRM) || +- __xfrm_route_forward(skb, family); ++ if (xfrm_default_allow(net, XFRM_POLICY_FWD)) ++ return !net->xfrm.policy_count[XFRM_POLICY_OUT] || ++ (skb_dst(skb)->flags & DST_NOXFRM) || ++ __xfrm_route_forward(skb, family); ++ else ++ return (skb_dst(skb)->flags & DST_NOXFRM) || ++ __xfrm_route_forward(skb, family); + } + + static inline int xfrm4_route_forward(struct sk_buff *skb) +diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h +index 90ddb49fce84..b963e1acf65a 100644 +--- a/include/uapi/linux/xfrm.h ++++ b/include/uapi/linux/xfrm.h +@@ -213,6 +213,11 @@ enum { + XFRM_MSG_GETSPDINFO, + #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO + ++ XFRM_MSG_SETDEFAULT, ++#define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT ++ XFRM_MSG_GETDEFAULT, ++#define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT ++ + XFRM_MSG_MAPPING, + #define XFRM_MSG_MAPPING XFRM_MSG_MAPPING + __XFRM_MSG_MAX +@@ -515,6 +520,11 @@ struct xfrm_user_offload { + #define XFRM_OFFLOAD_IPV6 1 + #define XFRM_OFFLOAD_INBOUND 2 + ++struct xfrm_userpolicy_default { ++ __u8 dirmask; ++ __u8 action; ++}; ++ + #ifndef __KERNEL__ + /* backwards compatibility for userspace */ + #define XFRMGRP_ACQUIRE 1 +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 3d0ffd927004..2c701fb3a61b 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3161,6 +3161,11 @@ struct dst_entry *xfrm_lookup_with_ifid(struct net *net, + return dst; + + nopol: ++ if (!(dst_orig->dev->flags & IFF_LOOPBACK) && ++ !xfrm_default_allow(net, dir)) { ++ err = -EPERM; ++ goto error; ++ } + if (!(flags & XFRM_LOOKUP_ICMP)) { + dst = dst_orig; + goto ok; +@@ -3608,6 +3613,11 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + } + + if (!pol) { ++ if (!xfrm_default_allow(net, dir)) { ++ XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); ++ return 0; ++ } ++ + if (sp && secpath_has_nontransport(sp, 0, &xerr_idx)) { + xfrm_secpath_reject(xerr_idx, skb, &fl); + XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); +@@ -3662,6 +3672,12 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + tpp[ti++] = &pols[pi]->xfrm_vec[i]; + } + xfrm_nr = ti; ++ ++ if (!xfrm_default_allow(net, dir) && !xfrm_nr) { ++ XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES); ++ goto reject; ++ } ++ + if (npols > 1) { + xfrm_tmpl_sort(stp, tpp, xfrm_nr, family); + tpp = stp; +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 1ece01cd67a4..dec24f280e83 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1914,6 +1914,54 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, + return skb; + } + ++static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, ++ struct nlattr **attrs) ++{ ++ struct net *net = sock_net(skb->sk); ++ struct xfrm_userpolicy_default *up = nlmsg_data(nlh); ++ u8 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK; ++ u8 old_default = net->xfrm.policy_default; ++ ++ net->xfrm.policy_default = (old_default & (0xff ^ dirmask)) ++ | (up->action << up->dirmask); ++ ++ rt_genid_bump_all(net); ++ ++ return 0; ++} ++ ++static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh, ++ struct nlattr **attrs) ++{ ++ struct sk_buff *r_skb; ++ struct nlmsghdr *r_nlh; ++ struct net *net = sock_net(skb->sk); ++ struct xfrm_userpolicy_default *r_up, *up; ++ int len = NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_default)); ++ u32 portid = NETLINK_CB(skb).portid; ++ u32 seq = nlh->nlmsg_seq; ++ ++ up = nlmsg_data(nlh); ++ ++ r_skb = nlmsg_new(len, GFP_ATOMIC); ++ if (!r_skb) ++ return -ENOMEM; ++ ++ r_nlh = nlmsg_put(r_skb, portid, seq, XFRM_MSG_GETDEFAULT, sizeof(*r_up), 0); ++ if (!r_nlh) { ++ kfree_skb(r_skb); ++ return -EMSGSIZE; ++ } ++ ++ r_up = nlmsg_data(r_nlh); ++ ++ r_up->action = ((net->xfrm.policy_default & (1 << up->dirmask)) >> up->dirmask); ++ r_up->dirmask = up->dirmask; ++ nlmsg_end(r_skb, r_nlh); ++ ++ return nlmsg_unicast(net->xfrm.nlsk, r_skb, portid); ++} ++ + static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, + struct nlattr **attrs) + { +@@ -2621,6 +2669,8 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES] = { + [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32), + [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32), + [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), ++ [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), ++ [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), + }; + EXPORT_SYMBOL_GPL(xfrm_msg_min); + +@@ -2700,6 +2750,8 @@ static const struct xfrm_link { + .nla_pol = xfrma_spd_policy, + .nla_max = XFRMA_SPD_MAX }, + [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_spdinfo }, ++ [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_set_default }, ++ [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_get_default }, + }; + + static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, +-- +2.35.1 + diff --git a/queue-5.10/xfrm-fix-dflt-policy-check-when-there-is-no-policy-c.patch b/queue-5.10/xfrm-fix-dflt-policy-check-when-there-is-no-policy-c.patch new file mode 100644 index 00000000000..f0774784b7d --- /dev/null +++ b/queue-5.10/xfrm-fix-dflt-policy-check-when-there-is-no-policy-c.patch @@ -0,0 +1,40 @@ +From f0ea470080f9e2e0d450b29ea9642cd4eb4295e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 11:33:13 +0100 +Subject: xfrm: fix dflt policy check when there is no policy configured + +From: Nicolas Dichtel + +[ Upstream commit ec3bb890817e4398f2d46e12e2e205495b116be9 ] + +When there is no policy configured on the system, the default policy is +checked in xfrm_route_forward. However, it was done with the wrong +direction (XFRM_POLICY_FWD instead of XFRM_POLICY_OUT). +The default policy for XFRM_POLICY_FWD was checked just before, with a call +to xfrm[46]_policy_check(). + +CC: stable@vger.kernel.org +Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") +Signed-off-by: Nicolas Dichtel +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 988886f95e5b..6a9e3b4c8a35 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1175,7 +1175,7 @@ static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) + { + struct net *net = dev_net(skb->dev); + +- if (xfrm_default_allow(net, XFRM_POLICY_FWD)) ++ if (xfrm_default_allow(net, XFRM_POLICY_OUT)) + return !net->xfrm.policy_count[XFRM_POLICY_OUT] || + (skb_dst(skb)->flags & DST_NOXFRM) || + __xfrm_route_forward(skb, family); +-- +2.35.1 + diff --git a/queue-5.10/xfrm-fix-disable_policy-flag-use-when-arriving-from-.patch b/queue-5.10/xfrm-fix-disable_policy-flag-use-when-arriving-from-.patch new file mode 100644 index 00000000000..6b71e3f4741 --- /dev/null +++ b/queue-5.10/xfrm-fix-disable_policy-flag-use-when-arriving-from-.patch @@ -0,0 +1,183 @@ +From 96880b270bc8470d43dab9a2ca94cf4065aa4399 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 23:34:02 +0300 +Subject: xfrm: fix "disable_policy" flag use when arriving from different + devices + +From: Eyal Birger + +[ Upstream commit e6175a2ed1f18bf2f649625bf725e07adcfa6a28 ] + +In IPv4 setting the "disable_policy" flag on a device means no policy +should be enforced for traffic originating from the device. This was +implemented by seting the DST_NOPOLICY flag in the dst based on the +originating device. + +However, dsts are cached in nexthops regardless of the originating +devices, in which case, the DST_NOPOLICY flag value may be incorrect. + +Consider the following setup: + + +------------------------------+ + | ROUTER | + +-------------+ | +-----------------+ | + | ipsec src |----|-|ipsec0 | | + +-------------+ | |disable_policy=0 | +----+ | + | +-----------------+ |eth1|-|----- + +-------------+ | +-----------------+ +----+ | + | noipsec src |----|-|eth0 | | + +-------------+ | |disable_policy=1 | | + | +-----------------+ | + +------------------------------+ + +Where ROUTER has a default route towards eth1. + +dst entries for traffic arriving from eth0 would have DST_NOPOLICY +and would be cached and therefore can be reused by traffic originating +from ipsec0, skipping policy check. + +Fix by setting a IPSKB_NOPOLICY flag in IPCB and observing it instead +of the DST in IN/FWD IPv4 policy checks. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Shmulik Ladkani +Signed-off-by: Eyal Birger +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 1 + + include/net/xfrm.h | 14 +++++++++++++- + net/ipv4/route.c | 23 ++++++++++++++++++----- + 3 files changed, 32 insertions(+), 6 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index de2dc22a78f9..76aaa7eb5b82 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -55,6 +55,7 @@ struct inet_skb_parm { + #define IPSKB_DOREDIRECT BIT(5) + #define IPSKB_FRAG_PMTU BIT(6) + #define IPSKB_L3SLAVE BIT(7) ++#define IPSKB_NOPOLICY BIT(8) + + u16 frag_max_size; + }; +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 86e5d1aa9628..8a9943d935f1 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1100,6 +1100,18 @@ static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb, + return false; + } + ++static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb, ++ int dir, unsigned short family) ++{ ++ if (dir != XFRM_POLICY_OUT && family == AF_INET) { ++ /* same dst may be used for traffic originating from ++ * devices with different policy settings. ++ */ ++ return IPCB(skb)->flags & IPSKB_NOPOLICY; ++ } ++ return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY); ++} ++ + static inline int __xfrm_policy_check2(struct sock *sk, int dir, + struct sk_buff *skb, + unsigned int family, int reverse) +@@ -1111,7 +1123,7 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir, + return __xfrm_policy_check(sk, ndir, skb, family); + + return __xfrm_check_nopolicy(net, skb, dir) || +- (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) || ++ __xfrm_check_dev_nopolicy(skb, dir, family) || + __xfrm_policy_check(sk, ndir, skb, family); + } + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 9bd3cd2177f4..aab8ac383d5d 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1765,6 +1765,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, + struct in_device *in_dev = __in_dev_get_rcu(dev); + unsigned int flags = RTCF_MULTICAST; + struct rtable *rth; ++ bool no_policy; + u32 itag = 0; + int err; + +@@ -1775,8 +1776,12 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, + if (our) + flags |= RTCF_LOCAL; + ++ no_policy = IN_DEV_ORCONF(in_dev, NOPOLICY); ++ if (no_policy) ++ IPCB(skb)->flags |= IPSKB_NOPOLICY; ++ + rth = rt_dst_alloc(dev_net(dev)->loopback_dev, flags, RTN_MULTICAST, +- IN_DEV_ORCONF(in_dev, NOPOLICY), false); ++ no_policy, false); + if (!rth) + return -ENOBUFS; + +@@ -1835,7 +1840,7 @@ static int __mkroute_input(struct sk_buff *skb, + struct rtable *rth; + int err; + struct in_device *out_dev; +- bool do_cache; ++ bool do_cache, no_policy; + u32 itag = 0; + + /* get a working reference to the output device */ +@@ -1880,6 +1885,10 @@ static int __mkroute_input(struct sk_buff *skb, + } + } + ++ no_policy = IN_DEV_ORCONF(in_dev, NOPOLICY); ++ if (no_policy) ++ IPCB(skb)->flags |= IPSKB_NOPOLICY; ++ + fnhe = find_exception(nhc, daddr); + if (do_cache) { + if (fnhe) +@@ -1892,8 +1901,7 @@ static int __mkroute_input(struct sk_buff *skb, + } + } + +- rth = rt_dst_alloc(out_dev->dev, 0, res->type, +- IN_DEV_ORCONF(in_dev, NOPOLICY), ++ rth = rt_dst_alloc(out_dev->dev, 0, res->type, no_policy, + IN_DEV_ORCONF(out_dev, NOXFRM)); + if (!rth) { + err = -ENOBUFS; +@@ -2145,6 +2153,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, + struct rtable *rth; + struct flowi4 fl4; + bool do_cache = true; ++ bool no_policy; + + /* IP on this device is disabled. */ + +@@ -2262,6 +2271,10 @@ out: return err; + RT_CACHE_STAT_INC(in_brd); + + local_input: ++ no_policy = IN_DEV_ORCONF(in_dev, NOPOLICY); ++ if (no_policy) ++ IPCB(skb)->flags |= IPSKB_NOPOLICY; ++ + do_cache &= res->fi && !itag; + if (do_cache) { + struct fib_nh_common *nhc = FIB_RES_NHC(*res); +@@ -2276,7 +2289,7 @@ out: return err; + + rth = rt_dst_alloc(ip_rt_get_dev(net, res), + flags | RTCF_LOCAL, res->type, +- IN_DEV_ORCONF(in_dev, NOPOLICY), false); ++ no_policy, false); + if (!rth) + goto e_nobufs; + +-- +2.35.1 + diff --git a/queue-5.10/xfrm-make-user-policy-api-complete.patch b/queue-5.10/xfrm-make-user-policy-api-complete.patch new file mode 100644 index 00000000000..43939c8e574 --- /dev/null +++ b/queue-5.10/xfrm-make-user-policy-api-complete.patch @@ -0,0 +1,111 @@ +From cb361c1238c8c6bb438a7adfe8a07a1cbfe17343 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 16:46:33 +0200 +Subject: xfrm: make user policy API complete + +From: Nicolas Dichtel + +[ Upstream commit f8d858e607b2a36808ac6d4218f5f5203d7a7d63 ] + +>From a userland POV, this API was based on some magic values: + - dirmask and action were bitfields but meaning of bits + (XFRM_POL_DEFAULT_*) are not exported; + - action is confusing, if a bit is set, does it mean drop or accept? + +Let's try to simplify this uapi by using explicit field and macros. + +Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") +Signed-off-by: Nicolas Dichtel +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/uapi/linux/xfrm.h | 9 ++++++--- + net/xfrm/xfrm_user.c | 31 +++++++++++++++++++------------ + 2 files changed, 25 insertions(+), 15 deletions(-) + +diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h +index 2a2c4dcb015f..6bae68645148 100644 +--- a/include/uapi/linux/xfrm.h ++++ b/include/uapi/linux/xfrm.h +@@ -521,9 +521,12 @@ struct xfrm_user_offload { + #define XFRM_OFFLOAD_INBOUND 2 + + struct xfrm_userpolicy_default { +-#define XFRM_USERPOLICY_DIRMASK_MAX (sizeof(__u8) * 8) +- __u8 dirmask; +- __u8 action; ++#define XFRM_USERPOLICY_UNSPEC 0 ++#define XFRM_USERPOLICY_BLOCK 1 ++#define XFRM_USERPOLICY_ACCEPT 2 ++ __u8 in; ++ __u8 fwd; ++ __u8 out; + }; + + #ifndef __KERNEL__ +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 026f29f80f88..261953e081fb 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1919,16 +1919,21 @@ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, + { + struct net *net = sock_net(skb->sk); + struct xfrm_userpolicy_default *up = nlmsg_data(nlh); +- u8 dirmask; +- u8 old_default = net->xfrm.policy_default; + +- if (up->dirmask >= XFRM_USERPOLICY_DIRMASK_MAX) +- return -EINVAL; ++ if (up->in == XFRM_USERPOLICY_BLOCK) ++ net->xfrm.policy_default |= XFRM_POL_DEFAULT_IN; ++ else if (up->in == XFRM_USERPOLICY_ACCEPT) ++ net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_IN; + +- dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK; ++ if (up->fwd == XFRM_USERPOLICY_BLOCK) ++ net->xfrm.policy_default |= XFRM_POL_DEFAULT_FWD; ++ else if (up->fwd == XFRM_USERPOLICY_ACCEPT) ++ net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_FWD; + +- net->xfrm.policy_default = (old_default & (0xff ^ dirmask)) +- | (up->action << up->dirmask); ++ if (up->out == XFRM_USERPOLICY_BLOCK) ++ net->xfrm.policy_default |= XFRM_POL_DEFAULT_OUT; ++ else if (up->out == XFRM_USERPOLICY_ACCEPT) ++ net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_OUT; + + rt_genid_bump_all(net); + +@@ -1941,13 +1946,11 @@ static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh, + struct sk_buff *r_skb; + struct nlmsghdr *r_nlh; + struct net *net = sock_net(skb->sk); +- struct xfrm_userpolicy_default *r_up, *up; ++ struct xfrm_userpolicy_default *r_up; + int len = NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_default)); + u32 portid = NETLINK_CB(skb).portid; + u32 seq = nlh->nlmsg_seq; + +- up = nlmsg_data(nlh); +- + r_skb = nlmsg_new(len, GFP_ATOMIC); + if (!r_skb) + return -ENOMEM; +@@ -1960,8 +1963,12 @@ static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh, + + r_up = nlmsg_data(r_nlh); + +- r_up->action = ((net->xfrm.policy_default & (1 << up->dirmask)) >> up->dirmask); +- r_up->dirmask = up->dirmask; ++ r_up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ? ++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; ++ r_up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ? ++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; ++ r_up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ? ++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; + nlmsg_end(r_skb, r_nlh); + + return nlmsg_unicast(net->xfrm.nlsk, r_skb, portid); +-- +2.35.1 + diff --git a/queue-5.10/xfrm-notify-default-policy-on-update.patch b/queue-5.10/xfrm-notify-default-policy-on-update.patch new file mode 100644 index 00000000000..dda7ffa61a1 --- /dev/null +++ b/queue-5.10/xfrm-notify-default-policy-on-update.patch @@ -0,0 +1,72 @@ +From bacd28f3be200acc3d7d055b36936b5ff44bd9a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 16:46:34 +0200 +Subject: xfrm: notify default policy on update + +From: Nicolas Dichtel + +[ Upstream commit 88d0adb5f13b1c52fbb7d755f6f79db18c2f0c2c ] + +This configuration knob is very sensible, it should be notified when +changing. + +Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") +Signed-off-by: Nicolas Dichtel +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 261953e081fb..4152f6399205 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1914,6 +1914,36 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, + return skb; + } + ++static int xfrm_notify_userpolicy(struct net *net) ++{ ++ struct xfrm_userpolicy_default *up; ++ int len = NLMSG_ALIGN(sizeof(*up)); ++ struct nlmsghdr *nlh; ++ struct sk_buff *skb; ++ ++ skb = nlmsg_new(len, GFP_ATOMIC); ++ if (skb == NULL) ++ return -ENOMEM; ++ ++ nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_GETDEFAULT, sizeof(*up), 0); ++ if (nlh == NULL) { ++ kfree_skb(skb); ++ return -EMSGSIZE; ++ } ++ ++ up = nlmsg_data(nlh); ++ up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ? ++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; ++ up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ? ++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; ++ up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ? ++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; ++ ++ nlmsg_end(skb, nlh); ++ ++ return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); ++} ++ + static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, + struct nlattr **attrs) + { +@@ -1937,6 +1967,7 @@ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, + + rt_genid_bump_all(net); + ++ xfrm_notify_userpolicy(net); + return 0; + } + +-- +2.35.1 + diff --git a/queue-5.10/xfrm-rework-default-policy-structure.patch b/queue-5.10/xfrm-rework-default-policy-structure.patch new file mode 100644 index 00000000000..d10bb4428ed --- /dev/null +++ b/queue-5.10/xfrm-rework-default-policy-structure.patch @@ -0,0 +1,236 @@ +From 5f576c1102da14de78b9efdc411bd4c7db5de7f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Mar 2022 11:38:22 +0100 +Subject: xfrm: rework default policy structure + +From: Nicolas Dichtel + +[ Upstream commit b58b1f563ab78955d37e9e43e02790a85c66ac05 ] + +This is a follow up of commit f8d858e607b2 ("xfrm: make user policy API +complete"). The goal is to align userland API to the internal structures. + +Signed-off-by: Nicolas Dichtel +Reviewed-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/netns/xfrm.h | 6 +---- + include/net/xfrm.h | 48 +++++++++++++++------------------------- + net/xfrm/xfrm_policy.c | 10 ++++++--- + net/xfrm/xfrm_user.c | 43 +++++++++++++++-------------------- + 4 files changed, 44 insertions(+), 63 deletions(-) + +diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h +index b694ff0963cc..69e4161462fb 100644 +--- a/include/net/netns/xfrm.h ++++ b/include/net/netns/xfrm.h +@@ -65,11 +65,7 @@ struct netns_xfrm { + int sysctl_larval_drop; + u32 sysctl_acq_expires; + +- u8 policy_default; +-#define XFRM_POL_DEFAULT_IN 1 +-#define XFRM_POL_DEFAULT_OUT 2 +-#define XFRM_POL_DEFAULT_FWD 4 +-#define XFRM_POL_DEFAULT_MASK 7 ++ u8 policy_default[XFRM_POLICY_MAX]; + + #ifdef CONFIG_SYSCTL + struct ctl_table_header *sysctl_hdr; +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 6a9e3b4c8a35..86e5d1aa9628 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1088,25 +1088,18 @@ xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, un + } + + #ifdef CONFIG_XFRM +-static inline bool +-xfrm_default_allow(struct net *net, int dir) +-{ +- u8 def = net->xfrm.policy_default; +- +- switch (dir) { +- case XFRM_POLICY_IN: +- return def & XFRM_POL_DEFAULT_IN ? false : true; +- case XFRM_POLICY_OUT: +- return def & XFRM_POL_DEFAULT_OUT ? false : true; +- case XFRM_POLICY_FWD: +- return def & XFRM_POL_DEFAULT_FWD ? false : true; +- } +- return false; +-} +- + int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, + unsigned short family); + ++static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb, ++ int dir) ++{ ++ if (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ++ return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT; ++ ++ return false; ++} ++ + static inline int __xfrm_policy_check2(struct sock *sk, int dir, + struct sk_buff *skb, + unsigned int family, int reverse) +@@ -1117,13 +1110,9 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir, + if (sk && sk->sk_policy[XFRM_POLICY_IN]) + return __xfrm_policy_check(sk, ndir, skb, family); + +- if (xfrm_default_allow(net, dir)) +- return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) || +- (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) || +- __xfrm_policy_check(sk, ndir, skb, family); +- else +- return (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) || +- __xfrm_policy_check(sk, ndir, skb, family); ++ return __xfrm_check_nopolicy(net, skb, dir) || ++ (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) || ++ __xfrm_policy_check(sk, ndir, skb, family); + } + + static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) +@@ -1175,13 +1164,12 @@ static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) + { + struct net *net = dev_net(skb->dev); + +- if (xfrm_default_allow(net, XFRM_POLICY_OUT)) +- return !net->xfrm.policy_count[XFRM_POLICY_OUT] || +- (skb_dst(skb)->flags & DST_NOXFRM) || +- __xfrm_route_forward(skb, family); +- else +- return (skb_dst(skb)->flags & DST_NOXFRM) || +- __xfrm_route_forward(skb, family); ++ if (!net->xfrm.policy_count[XFRM_POLICY_OUT] && ++ net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT) ++ return true; ++ ++ return (skb_dst(skb)->flags & DST_NOXFRM) || ++ __xfrm_route_forward(skb, family); + } + + static inline int xfrm4_route_forward(struct sk_buff *skb) +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 2c701fb3a61b..93cbcc8f9b39 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3162,7 +3162,7 @@ struct dst_entry *xfrm_lookup_with_ifid(struct net *net, + + nopol: + if (!(dst_orig->dev->flags & IFF_LOOPBACK) && +- !xfrm_default_allow(net, dir)) { ++ net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) { + err = -EPERM; + goto error; + } +@@ -3613,7 +3613,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + } + + if (!pol) { +- if (!xfrm_default_allow(net, dir)) { ++ if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) { + XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); + return 0; + } +@@ -3673,7 +3673,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + } + xfrm_nr = ti; + +- if (!xfrm_default_allow(net, dir) && !xfrm_nr) { ++ if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK && ++ !xfrm_nr) { + XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES); + goto reject; + } +@@ -4162,6 +4163,9 @@ static int __net_init xfrm_net_init(struct net *net) + spin_lock_init(&net->xfrm.xfrm_policy_lock); + seqcount_spinlock_init(&net->xfrm.xfrm_policy_hash_generation, &net->xfrm.xfrm_policy_lock); + mutex_init(&net->xfrm.xfrm_cfg_mutex); ++ net->xfrm.policy_default[XFRM_POLICY_IN] = XFRM_USERPOLICY_ACCEPT; ++ net->xfrm.policy_default[XFRM_POLICY_FWD] = XFRM_USERPOLICY_ACCEPT; ++ net->xfrm.policy_default[XFRM_POLICY_OUT] = XFRM_USERPOLICY_ACCEPT; + + rv = xfrm_statistics_init(net); + if (rv < 0) +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 4152f6399205..d9841f44487f 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1932,38 +1932,35 @@ static int xfrm_notify_userpolicy(struct net *net) + } + + up = nlmsg_data(nlh); +- up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; +- up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; +- up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; ++ up->in = net->xfrm.policy_default[XFRM_POLICY_IN]; ++ up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD]; ++ up->out = net->xfrm.policy_default[XFRM_POLICY_OUT]; + + nlmsg_end(skb, nlh); + + return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); + } + ++static bool xfrm_userpolicy_is_valid(__u8 policy) ++{ ++ return policy == XFRM_USERPOLICY_BLOCK || ++ policy == XFRM_USERPOLICY_ACCEPT; ++} ++ + static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, + struct nlattr **attrs) + { + struct net *net = sock_net(skb->sk); + struct xfrm_userpolicy_default *up = nlmsg_data(nlh); + +- if (up->in == XFRM_USERPOLICY_BLOCK) +- net->xfrm.policy_default |= XFRM_POL_DEFAULT_IN; +- else if (up->in == XFRM_USERPOLICY_ACCEPT) +- net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_IN; ++ if (xfrm_userpolicy_is_valid(up->in)) ++ net->xfrm.policy_default[XFRM_POLICY_IN] = up->in; + +- if (up->fwd == XFRM_USERPOLICY_BLOCK) +- net->xfrm.policy_default |= XFRM_POL_DEFAULT_FWD; +- else if (up->fwd == XFRM_USERPOLICY_ACCEPT) +- net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_FWD; ++ if (xfrm_userpolicy_is_valid(up->fwd)) ++ net->xfrm.policy_default[XFRM_POLICY_FWD] = up->fwd; + +- if (up->out == XFRM_USERPOLICY_BLOCK) +- net->xfrm.policy_default |= XFRM_POL_DEFAULT_OUT; +- else if (up->out == XFRM_USERPOLICY_ACCEPT) +- net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_OUT; ++ if (xfrm_userpolicy_is_valid(up->out)) ++ net->xfrm.policy_default[XFRM_POLICY_OUT] = up->out; + + rt_genid_bump_all(net); + +@@ -1993,13 +1990,9 @@ static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh, + } + + r_up = nlmsg_data(r_nlh); +- +- r_up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; +- r_up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; +- r_up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; ++ r_up->in = net->xfrm.policy_default[XFRM_POLICY_IN]; ++ r_up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD]; ++ r_up->out = net->xfrm.policy_default[XFRM_POLICY_OUT]; + nlmsg_end(r_skb, r_nlh); + + return nlmsg_unicast(net->xfrm.nlsk, r_skb, portid); +-- +2.35.1 +