From: Sasha Levin Date: Sun, 17 Nov 2024 14:35:18 +0000 (-0500) Subject: Fixes for 6.6 X-Git-Tag: v6.12.1~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=328621cc5cc64b6da7a2f4d104c8208688c5d212;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/arm-9419-1-mm-fix-kernel-memory-mapping-for-xip-kern.patch b/queue-6.6/arm-9419-1-mm-fix-kernel-memory-mapping-for-xip-kern.patch new file mode 100644 index 00000000000..6c883dad665 --- /dev/null +++ b/queue-6.6/arm-9419-1-mm-fix-kernel-memory-mapping-for-xip-kern.patch @@ -0,0 +1,144 @@ +From 0e8867bbefe1b49a2b594caf93f8991aab85bb8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 06:57:11 +0100 +Subject: ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels + +From: Harith G + +[ Upstream commit ed6cbe6e5563452f305e89c15846820f2874e431 ] + +The patchset introducing kernel_sec_start/end variables to separate the +kernel/lowmem memory mappings, broke the mapping of the kernel memory +for xipkernels. + +kernel_sec_start/end variables are in RO area before the MMU is switched +on for xipkernels. +So these cannot be set early in boot in head.S. Fix this by setting these +after MMU is switched on. +xipkernels need two different mappings for kernel text (starting at +CONFIG_XIP_PHYS_ADDR) and data (starting at CONFIG_PHYS_OFFSET). +Also, move the kernel code mapping from devicemaps_init() to map_kernel(). + +Fixes: a91da5457085 ("ARM: 9089/1: Define kernel physical section start and end") +Signed-off-by: Harith George +Reviewed-by: Linus Walleij +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/head.S | 8 ++++++-- + arch/arm/mm/mmu.c | 34 +++++++++++++++++++++------------- + 2 files changed, 27 insertions(+), 15 deletions(-) + +diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S +index 1ec35f065617e..28873cda464f5 100644 +--- a/arch/arm/kernel/head.S ++++ b/arch/arm/kernel/head.S +@@ -252,11 +252,15 @@ __create_page_tables: + */ + add r0, r4, #KERNEL_OFFSET >> (SECTION_SHIFT - PMD_ENTRY_ORDER) + ldr r6, =(_end - 1) ++ ++ /* For XIP, kernel_sec_start/kernel_sec_end are currently in RO memory */ ++#ifndef CONFIG_XIP_KERNEL + adr_l r5, kernel_sec_start @ _pa(kernel_sec_start) + #if defined CONFIG_CPU_ENDIAN_BE8 || defined CONFIG_CPU_ENDIAN_BE32 + str r8, [r5, #4] @ Save physical start of kernel (BE) + #else + str r8, [r5] @ Save physical start of kernel (LE) ++#endif + #endif + orr r3, r8, r7 @ Add the MMU flags + add r6, r4, r6, lsr #(SECTION_SHIFT - PMD_ENTRY_ORDER) +@@ -264,6 +268,7 @@ __create_page_tables: + add r3, r3, #1 << SECTION_SHIFT + cmp r0, r6 + bls 1b ++#ifndef CONFIG_XIP_KERNEL + eor r3, r3, r7 @ Remove the MMU flags + adr_l r5, kernel_sec_end @ _pa(kernel_sec_end) + #if defined CONFIG_CPU_ENDIAN_BE8 || defined CONFIG_CPU_ENDIAN_BE32 +@@ -271,8 +276,7 @@ __create_page_tables: + #else + str r3, [r5] @ Save physical end of kernel (LE) + #endif +- +-#ifdef CONFIG_XIP_KERNEL ++#else + /* + * Map the kernel image separately as it is not located in RAM. + */ +diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c +index 674ed71573a84..073de5b24560d 100644 +--- a/arch/arm/mm/mmu.c ++++ b/arch/arm/mm/mmu.c +@@ -1402,18 +1402,6 @@ static void __init devicemaps_init(const struct machine_desc *mdesc) + create_mapping(&map); + } + +- /* +- * Map the kernel if it is XIP. +- * It is always first in the modulearea. +- */ +-#ifdef CONFIG_XIP_KERNEL +- map.pfn = __phys_to_pfn(CONFIG_XIP_PHYS_ADDR & SECTION_MASK); +- map.virtual = MODULES_VADDR; +- map.length = ((unsigned long)_exiprom - map.virtual + ~SECTION_MASK) & SECTION_MASK; +- map.type = MT_ROM; +- create_mapping(&map); +-#endif +- + /* + * Map the cache flushing regions. + */ +@@ -1603,12 +1591,27 @@ static void __init map_kernel(void) + * This will only persist until we turn on proper memory management later on + * and we remap the whole kernel with page granularity. + */ ++#ifdef CONFIG_XIP_KERNEL ++ phys_addr_t kernel_nx_start = kernel_sec_start; ++#else + phys_addr_t kernel_x_start = kernel_sec_start; + phys_addr_t kernel_x_end = round_up(__pa(__init_end), SECTION_SIZE); + phys_addr_t kernel_nx_start = kernel_x_end; ++#endif + phys_addr_t kernel_nx_end = kernel_sec_end; + struct map_desc map; + ++ /* ++ * Map the kernel if it is XIP. ++ * It is always first in the modulearea. ++ */ ++#ifdef CONFIG_XIP_KERNEL ++ map.pfn = __phys_to_pfn(CONFIG_XIP_PHYS_ADDR & SECTION_MASK); ++ map.virtual = MODULES_VADDR; ++ map.length = ((unsigned long)_exiprom - map.virtual + ~SECTION_MASK) & SECTION_MASK; ++ map.type = MT_ROM; ++ create_mapping(&map); ++#else + map.pfn = __phys_to_pfn(kernel_x_start); + map.virtual = __phys_to_virt(kernel_x_start); + map.length = kernel_x_end - kernel_x_start; +@@ -1618,7 +1621,7 @@ static void __init map_kernel(void) + /* If the nx part is small it may end up covered by the tail of the RWX section */ + if (kernel_x_end == kernel_nx_end) + return; +- ++#endif + map.pfn = __phys_to_pfn(kernel_nx_start); + map.virtual = __phys_to_virt(kernel_nx_start); + map.length = kernel_nx_end - kernel_nx_start; +@@ -1763,6 +1766,11 @@ void __init paging_init(const struct machine_desc *mdesc) + { + void *zero_page; + ++#ifdef CONFIG_XIP_KERNEL ++ /* Store the kernel RW RAM region start/end in these variables */ ++ kernel_sec_start = CONFIG_PHYS_OFFSET & SECTION_MASK; ++ kernel_sec_end = round_up(__pa(_end), SECTION_SIZE); ++#endif + pr_debug("physical kernel sections: 0x%08llx-0x%08llx\n", + kernel_sec_start, kernel_sec_end); + +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-btintel-direct-exception-event-to-bluetoot.patch b/queue-6.6/bluetooth-btintel-direct-exception-event-to-bluetoot.patch new file mode 100644 index 00000000000..ef4e32f7ddb --- /dev/null +++ b/queue-6.6/bluetooth-btintel-direct-exception-event-to-bluetoot.patch @@ -0,0 +1,55 @@ +From 1bc79afe603dd2f164ea1d6994d11f642a686f16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2024 14:41:34 +0530 +Subject: Bluetooth: btintel: Direct exception event to bluetooth stack + +From: Kiran K + +[ Upstream commit d5359a7f583ab9b7706915213b54deac065bcb81 ] + +Have exception event part of HCI traces which helps for debug. + +snoop traces: +> HCI Event: Vendor (0xff) plen 79 + Vendor Prefix (0x8780) + Intel Extended Telemetry (0x03) + Unknown extended telemetry event type (0xde) + 01 01 de + Unknown extended subevent 0x07 + 01 01 de 07 01 de 06 1c ef be ad de ef be ad de + ef be ad de ef be ad de ef be ad de ef be ad de + ef be ad de 05 14 ef be ad de ef be ad de ef be + ad de ef be ad de ef be ad de 43 10 ef be ad de + ef be ad de ef be ad de ef be ad de + +Fixes: af395330abed ("Bluetooth: btintel: Add Intel devcoredump support") +Signed-off-by: Kiran K +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btintel.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c +index a936219aebb81..3773cd9d998d5 100644 +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -2928,13 +2928,12 @@ static int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) + case INTEL_TLV_TEST_EXCEPTION: + /* Generate devcoredump from exception */ + if (!hci_devcd_init(hdev, skb->len)) { +- hci_devcd_append(hdev, skb); ++ hci_devcd_append(hdev, skb_clone(skb, GFP_ATOMIC)); + hci_devcd_complete(hdev); + } else { + bt_dev_err(hdev, "Failed to generate devcoredump"); +- kfree_skb(skb); + } +- return 0; ++ break; + default: + bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]); + } +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-hci_core-fix-calling-mgmt_device_connected.patch b/queue-6.6/bluetooth-hci_core-fix-calling-mgmt_device_connected.patch new file mode 100644 index 00000000000..31aa298be92 --- /dev/null +++ b/queue-6.6/bluetooth-hci_core-fix-calling-mgmt_device_connected.patch @@ -0,0 +1,39 @@ +From 07b0e46075f84142efa1934f48c875571b593a9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2024 11:19:54 -0500 +Subject: Bluetooth: hci_core: Fix calling mgmt_device_connected + +From: Luiz Augusto von Dentz + +[ Upstream commit 7967dc8f797f454d4f4acec15c7df0cdf4801617 ] + +Since 61a939c68ee0 ("Bluetooth: Queue incoming ACL data until +BT_CONNECTED state is reached") there is no long the need to call +mgmt_device_connected as ACL data will be queued until BT_CONNECTED +state. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219458 +Link: https://github.com/bluez/bluez/issues/1014 +Fixes: 333b4fd11e89 ("Bluetooth: L2CAP: Fix uaf in l2cap_connect") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index d4e607bf35baf..3cf4dd9cad8a3 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3752,8 +3752,6 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) + + hci_dev_lock(hdev); + conn = hci_conn_hash_lookup_handle(hdev, handle); +- if (conn && hci_dev_test_flag(hdev, HCI_MGMT)) +- mgmt_device_connected(hdev, conn, NULL, 0); + hci_dev_unlock(hdev); + + if (conn) { +-- +2.43.0 + diff --git a/queue-6.6/bonding-add-ns-target-multicast-address-to-slave-dev.patch b/queue-6.6/bonding-add-ns-target-multicast-address-to-slave-dev.patch new file mode 100644 index 00000000000..1731d1e6dae --- /dev/null +++ b/queue-6.6/bonding-add-ns-target-multicast-address-to-slave-dev.patch @@ -0,0 +1,237 @@ +From bde307d87856b6a5840df89c29ee799689c19d82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2024 10:16:49 +0000 +Subject: bonding: add ns target multicast address to slave device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hangbin Liu + +[ Upstream commit 8eb36164d1a6769a20ed43033510067ff3dab9ee ] + +Commit 4598380f9c54 ("bonding: fix ns validation on backup slaves") +tried to resolve the issue where backup slaves couldn't be brought up when +receiving IPv6 Neighbor Solicitation (NS) messages. However, this fix only +worked for drivers that receive all multicast messages, such as the veth +interface. + +For standard drivers, the NS multicast message is silently dropped because +the slave device is not a member of the NS target multicast group. + +To address this, we need to make the slave device join the NS target +multicast group, ensuring it can receive these IPv6 NS messages to validate +the slave’s status properly. + +There are three policies before joining the multicast group: +1. All settings must be under active-backup mode (alb and tlb do not support + arp_validate), with backup slaves and slaves supporting multicast. +2. We can add or remove multicast groups when arp_validate changes. +3. Other operations, such as enslaving, releasing, or setting NS targets, + need to be guarded by arp_validate. + +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Signed-off-by: Hangbin Liu +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 16 +++++- + drivers/net/bonding/bond_options.c | 82 +++++++++++++++++++++++++++++- + include/net/bond_options.h | 2 + + 3 files changed, 98 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 14b4780b73c72..bee93a437f997 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -934,6 +934,8 @@ static void bond_hw_addr_swap(struct bonding *bond, struct slave *new_active, + + if (bond->dev->flags & IFF_UP) + bond_hw_addr_flush(bond->dev, old_active->dev); ++ ++ bond_slave_ns_maddrs_add(bond, old_active); + } + + if (new_active) { +@@ -950,6 +952,8 @@ static void bond_hw_addr_swap(struct bonding *bond, struct slave *new_active, + dev_mc_sync(new_active->dev, bond->dev); + netif_addr_unlock_bh(bond->dev); + } ++ ++ bond_slave_ns_maddrs_del(bond, new_active); + } + } + +@@ -2267,6 +2271,11 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + bond_compute_features(bond); + bond_set_carrier(bond); + ++ /* Needs to be called before bond_select_active_slave(), which will ++ * remove the maddrs if the slave is selected as active slave. ++ */ ++ bond_slave_ns_maddrs_add(bond, new_slave); ++ + if (bond_uses_primary(bond)) { + block_netpoll_tx(); + bond_select_active_slave(bond); +@@ -2276,7 +2285,6 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + if (bond_mode_can_use_xmit_hash(bond)) + bond_update_slave_arr(bond, NULL); + +- + if (!slave_dev->netdev_ops->ndo_bpf || + !slave_dev->netdev_ops->ndo_xdp_xmit) { + if (bond->xdp_prog) { +@@ -2474,6 +2482,12 @@ static int __bond_release_one(struct net_device *bond_dev, + if (oldcurrent == slave) + bond_change_active_slave(bond, NULL); + ++ /* Must be called after bond_change_active_slave () as the slave ++ * might change from an active slave to a backup slave. Then it is ++ * necessary to clear the maddrs on the backup slave. ++ */ ++ bond_slave_ns_maddrs_del(bond, slave); ++ + if (bond_is_lb(bond)) { + /* Must be called only after the slave has been + * detached from the list and the curr_active_slave +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index d1208d058eea1..8c326e41b8d63 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -15,6 +15,7 @@ + #include + + #include ++#include + + static int bond_option_active_slave_set(struct bonding *bond, + const struct bond_opt_value *newval); +@@ -1218,6 +1219,68 @@ static int bond_option_arp_ip_targets_set(struct bonding *bond, + } + + #if IS_ENABLED(CONFIG_IPV6) ++static bool slave_can_set_ns_maddr(const struct bonding *bond, struct slave *slave) ++{ ++ return BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP && ++ !bond_is_active_slave(slave) && ++ slave->dev->flags & IFF_MULTICAST; ++} ++ ++static void slave_set_ns_maddrs(struct bonding *bond, struct slave *slave, bool add) ++{ ++ struct in6_addr *targets = bond->params.ns_targets; ++ char slot_maddr[MAX_ADDR_LEN]; ++ int i; ++ ++ if (!slave_can_set_ns_maddr(bond, slave)) ++ return; ++ ++ for (i = 0; i < BOND_MAX_NS_TARGETS; i++) { ++ if (ipv6_addr_any(&targets[i])) ++ break; ++ ++ if (!ndisc_mc_map(&targets[i], slot_maddr, slave->dev, 0)) { ++ if (add) ++ dev_mc_add(slave->dev, slot_maddr); ++ else ++ dev_mc_del(slave->dev, slot_maddr); ++ } ++ } ++} ++ ++void bond_slave_ns_maddrs_add(struct bonding *bond, struct slave *slave) ++{ ++ if (!bond->params.arp_validate) ++ return; ++ slave_set_ns_maddrs(bond, slave, true); ++} ++ ++void bond_slave_ns_maddrs_del(struct bonding *bond, struct slave *slave) ++{ ++ if (!bond->params.arp_validate) ++ return; ++ slave_set_ns_maddrs(bond, slave, false); ++} ++ ++static void slave_set_ns_maddr(struct bonding *bond, struct slave *slave, ++ struct in6_addr *target, struct in6_addr *slot) ++{ ++ char target_maddr[MAX_ADDR_LEN], slot_maddr[MAX_ADDR_LEN]; ++ ++ if (!bond->params.arp_validate || !slave_can_set_ns_maddr(bond, slave)) ++ return; ++ ++ /* remove the previous maddr from slave */ ++ if (!ipv6_addr_any(slot) && ++ !ndisc_mc_map(slot, slot_maddr, slave->dev, 0)) ++ dev_mc_del(slave->dev, slot_maddr); ++ ++ /* add new maddr on slave if target is set */ ++ if (!ipv6_addr_any(target) && ++ !ndisc_mc_map(target, target_maddr, slave->dev, 0)) ++ dev_mc_add(slave->dev, target_maddr); ++} ++ + static void _bond_options_ns_ip6_target_set(struct bonding *bond, int slot, + struct in6_addr *target, + unsigned long last_rx) +@@ -1227,8 +1290,10 @@ static void _bond_options_ns_ip6_target_set(struct bonding *bond, int slot, + struct slave *slave; + + if (slot >= 0 && slot < BOND_MAX_NS_TARGETS) { +- bond_for_each_slave(bond, slave, iter) ++ bond_for_each_slave(bond, slave, iter) { + slave->target_last_arp_rx[slot] = last_rx; ++ slave_set_ns_maddr(bond, slave, target, &targets[slot]); ++ } + targets[slot] = *target; + } + } +@@ -1280,15 +1345,30 @@ static int bond_option_ns_ip6_targets_set(struct bonding *bond, + { + return -EPERM; + } ++ ++static void slave_set_ns_maddrs(struct bonding *bond, struct slave *slave, bool add) {} ++ ++void bond_slave_ns_maddrs_add(struct bonding *bond, struct slave *slave) {} ++ ++void bond_slave_ns_maddrs_del(struct bonding *bond, struct slave *slave) {} + #endif + + static int bond_option_arp_validate_set(struct bonding *bond, + const struct bond_opt_value *newval) + { ++ bool changed = !!bond->params.arp_validate != !!newval->value; ++ struct list_head *iter; ++ struct slave *slave; ++ + netdev_dbg(bond->dev, "Setting arp_validate to %s (%llu)\n", + newval->string, newval->value); + bond->params.arp_validate = newval->value; + ++ if (changed) { ++ bond_for_each_slave(bond, slave, iter) ++ slave_set_ns_maddrs(bond, slave, !!bond->params.arp_validate); ++ } ++ + return 0; + } + +diff --git a/include/net/bond_options.h b/include/net/bond_options.h +index 69292ecc03257..f631d9f099410 100644 +--- a/include/net/bond_options.h ++++ b/include/net/bond_options.h +@@ -160,5 +160,7 @@ void bond_option_arp_ip_targets_clear(struct bonding *bond); + #if IS_ENABLED(CONFIG_IPV6) + void bond_option_ns_ip6_targets_clear(struct bonding *bond); + #endif ++void bond_slave_ns_maddrs_add(struct bonding *bond, struct slave *slave); ++void bond_slave_ns_maddrs_del(struct bonding *bond, struct slave *slave); + + #endif /* _NET_BOND_OPTIONS_H */ +-- +2.43.0 + diff --git a/queue-6.6/drm-rockchip-vop-fix-a-dereferenced-before-check-war.patch b/queue-6.6/drm-rockchip-vop-fix-a-dereferenced-before-check-war.patch new file mode 100644 index 00000000000..8c12dca7a23 --- /dev/null +++ b/queue-6.6/drm-rockchip-vop-fix-a-dereferenced-before-check-war.patch @@ -0,0 +1,47 @@ +From 64d1435193befbb99df67f1d5692d6566cd1b65f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2024 15:28:06 +0800 +Subject: drm/rockchip: vop: Fix a dereferenced before check warning + +From: Andy Yan + +[ Upstream commit ab1c793f457f740ab7108cc0b1340a402dbf484d ] + +The 'state' can't be NULL, we should check crtc_state. + +Fix warning: +drivers/gpu/drm/rockchip/rockchip_drm_vop.c:1096 +vop_plane_atomic_async_check() warn: variable dereferenced before check +'state' (see line 1077) + +Fixes: 5ddb0bd4ddc3 ("drm/atomic: Pass the full state to planes async atomic check and update") +Signed-off-by: Andy Yan +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20241021072818.61621-1-andyshrk@163.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +index ee72e8c6ad69b..a34d3fc662489 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -1076,10 +1076,10 @@ static int vop_plane_atomic_async_check(struct drm_plane *plane, + if (!plane->state->fb) + return -EINVAL; + +- if (state) +- crtc_state = drm_atomic_get_existing_crtc_state(state, +- new_plane_state->crtc); +- else /* Special case for asynchronous cursor updates. */ ++ crtc_state = drm_atomic_get_existing_crtc_state(state, new_plane_state->crtc); ++ ++ /* Special case for asynchronous cursor updates. */ ++ if (!crtc_state) + crtc_state = plane->crtc->state; + + return drm_atomic_helper_check_plane_state(plane->state, crtc_state, +-- +2.43.0 + diff --git a/queue-6.6/mptcp-cope-racing-subflow-creation-in-mptcp_rcv_spac.patch b/queue-6.6/mptcp-cope-racing-subflow-creation-in-mptcp_rcv_spac.patch new file mode 100644 index 00000000000..6855409c7e7 --- /dev/null +++ b/queue-6.6/mptcp-cope-racing-subflow-creation-in-mptcp_rcv_spac.patch @@ -0,0 +1,48 @@ +From d636800f896c4ba93e2ded8683d40c337bcf5180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2024 11:58:17 +0100 +Subject: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust + +From: Paolo Abeni + +[ Upstream commit ce7356ae35943cc6494cc692e62d51a734062b7d ] + +Additional active subflows - i.e. created by the in kernel path +manager - are included into the subflow list before starting the +3whs. + +A racing recvmsg() spooling data received on an already established +subflow would unconditionally call tcp_cleanup_rbuf() on all the +current subflows, potentially hitting a divide by zero error on +the newly created ones. + +Explicitly check that the subflow is in a suitable state before +invoking tcp_cleanup_rbuf(). + +Fixes: c76c6956566f ("mptcp: call tcp_cleanup_rbuf on subflows") +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/02374660836e1b52afc91966b7535c8c5f7bafb0.1731060874.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index e99ef1e67e957..b8357d7c6b3a1 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2045,7 +2045,8 @@ static void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied) + slow = lock_sock_fast(ssk); + WRITE_ONCE(ssk->sk_rcvbuf, rcvbuf); + WRITE_ONCE(tcp_sk(ssk)->window_clamp, window_clamp); +- tcp_cleanup_rbuf(ssk, 1); ++ if (tcp_can_send_ack(ssk)) ++ tcp_cleanup_rbuf(ssk, 1); + unlock_sock_fast(ssk, slow); + } + } +-- +2.43.0 + diff --git a/queue-6.6/mptcp-error-out-earlier-on-disconnect.patch b/queue-6.6/mptcp-error-out-earlier-on-disconnect.patch new file mode 100644 index 00000000000..466dcff0c1b --- /dev/null +++ b/queue-6.6/mptcp-error-out-earlier-on-disconnect.patch @@ -0,0 +1,120 @@ +From c7ed87d3602425b9180d6532855ebc7614ef786d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2024 11:58:16 +0100 +Subject: mptcp: error out earlier on disconnect + +From: Paolo Abeni + +[ Upstream commit 581302298524e9d77c4c44ff5156a6cd112227ae ] + +Eric reported a division by zero splat in the MPTCP protocol: + +Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 1 UID: 0 PID: 6094 Comm: syz-executor317 Not tainted +6.12.0-rc5-syzkaller-00291-g05b92660cdfe #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS Google 09/13/2024 +RIP: 0010:__tcp_select_window+0x5b4/0x1310 net/ipv4/tcp_output.c:3163 +Code: f6 44 01 e3 89 df e8 9b 75 09 f8 44 39 f3 0f 8d 11 ff ff ff e8 +0d 74 09 f8 45 89 f4 e9 04 ff ff ff e8 00 74 09 f8 44 89 f0 99 7c +24 14 41 29 d6 45 89 f4 e9 ec fe ff ff e8 e8 73 09 f8 48 89 +RSP: 0018:ffffc900041f7930 EFLAGS: 00010293 +RAX: 0000000000017e67 RBX: 0000000000017e67 RCX: ffffffff8983314b +RDX: 0000000000000000 RSI: ffffffff898331b0 RDI: 0000000000000004 +RBP: 00000000005d6000 R08: 0000000000000004 R09: 0000000000017e67 +R10: 0000000000003e80 R11: 0000000000000000 R12: 0000000000003e80 +R13: ffff888031d9b440 R14: 0000000000017e67 R15: 00000000002eb000 +FS: 00007feb5d7f16c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007feb5d8adbb8 CR3: 0000000074e4c000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +__tcp_cleanup_rbuf+0x3e7/0x4b0 net/ipv4/tcp.c:1493 +mptcp_rcv_space_adjust net/mptcp/protocol.c:2085 [inline] +mptcp_recvmsg+0x2156/0x2600 net/mptcp/protocol.c:2289 +inet_recvmsg+0x469/0x6a0 net/ipv4/af_inet.c:885 +sock_recvmsg_nosec net/socket.c:1051 [inline] +sock_recvmsg+0x1b2/0x250 net/socket.c:1073 +__sys_recvfrom+0x1a5/0x2e0 net/socket.c:2265 +__do_sys_recvfrom net/socket.c:2283 [inline] +__se_sys_recvfrom net/socket.c:2279 [inline] +__x64_sys_recvfrom+0xe0/0x1c0 net/socket.c:2279 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7feb5d857559 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007feb5d7f1208 EFLAGS: 00000246 ORIG_RAX: 000000000000002d +RAX: ffffffffffffffda RBX: 00007feb5d8e1318 RCX: 00007feb5d857559 +RDX: 000000800000000e RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 00007feb5d8e1310 R08: 0000000000000000 R09: ffffffff81000000 +R10: 0000000000000100 R11: 0000000000000246 R12: 00007feb5d8e131c +R13: 00007feb5d8ae074 R14: 000000800000000e R15: 00000000fffffdef + +and provided a nice reproducer. + +The root cause is the current bad handling of racing disconnect. +After the blamed commit below, sk_wait_data() can return (with +error) with the underlying socket disconnected and a zero rcv_mss. + +Catch the error and return without performing any additional +operations on the current socket. + +Reported-by: Eric Dumazet +Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting") +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/8c82ecf71662ecbc47bf390f9905de70884c9f2d.1731060874.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index cd6f8d655c185..e99ef1e67e957 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2168,7 +2168,7 @@ static int mptcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + cmsg_flags = MPTCP_CMSG_INQ; + + while (copied < len) { +- int bytes_read; ++ int err, bytes_read; + + bytes_read = __mptcp_recvmsg_mskq(msk, msg, len - copied, flags, &tss, &cmsg_flags); + if (unlikely(bytes_read < 0)) { +@@ -2230,9 +2230,16 @@ static int mptcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + } + + pr_debug("block timeout %ld\n", timeo); +- sk_wait_data(sk, &timeo, NULL); ++ mptcp_rcv_space_adjust(msk, copied); ++ err = sk_wait_data(sk, &timeo, NULL); ++ if (err < 0) { ++ err = copied ? : err; ++ goto out_err; ++ } + } + ++ mptcp_rcv_space_adjust(msk, copied); ++ + out_err: + if (cmsg_flags && copied >= 0) { + if (cmsg_flags & MPTCP_CMSG_TS) +@@ -2248,8 +2255,6 @@ static int mptcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + pr_debug("msk=%p rx queue empty=%d:%d copied=%d\n", + msk, skb_queue_empty_lockless(&sk->sk_receive_queue), + skb_queue_empty(&msk->receive_queue), copied); +- if (!(flags & MSG_PEEK)) +- mptcp_rcv_space_adjust(msk, copied); + + release_sock(sk); + return copied; +-- +2.43.0 + diff --git a/queue-6.6/net-make-copy_safe_from_sockptr-match-documentation.patch b/queue-6.6/net-make-copy_safe_from_sockptr-match-documentation.patch new file mode 100644 index 00000000000..15a8c1df96f --- /dev/null +++ b/queue-6.6/net-make-copy_safe_from_sockptr-match-documentation.patch @@ -0,0 +1,47 @@ +From 6c7b649c2b4ed550a298fa1e00324149e7a8687b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2024 00:17:34 +0100 +Subject: net: Make copy_safe_from_sockptr() match documentation + +From: Michal Luczaj + +[ Upstream commit eb94b7bb10109a14a5431a67e5d8e31cfa06b395 ] + +copy_safe_from_sockptr() + return copy_from_sockptr() + return copy_from_sockptr_offset() + return copy_from_user() + +copy_from_user() does not return an error on fault. Instead, it returns a +number of bytes that were not copied. Have it handled. + +Patch has a side effect: it un-breaks garbage input handling of +nfc_llcp_setsockopt() and mISDN's data_sock_setsockopt(). + +Fixes: 6309863b31dd ("net: add copy_safe_from_sockptr() helper") +Signed-off-by: Michal Luczaj +Link: https://patch.msgid.link/20241111-sockptr-copy-ret-fix-v1-1-a520083a93fb@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/sockptr.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/linux/sockptr.h b/include/linux/sockptr.h +index 1c1a5d926b171..0eb3a2b1f81ff 100644 +--- a/include/linux/sockptr.h ++++ b/include/linux/sockptr.h +@@ -77,7 +77,9 @@ static inline int copy_safe_from_sockptr(void *dst, size_t ksize, + { + if (optlen < ksize) + return -EINVAL; +- return copy_from_sockptr(dst, optval, ksize); ++ if (copy_from_sockptr(dst, optval, ksize)) ++ return -EFAULT; ++ return 0; + } + + static inline int copy_to_sockptr_offset(sockptr_t dst, size_t offset, +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5-fs-lock-fte-when-checking-if-active.patch b/queue-6.6/net-mlx5-fs-lock-fte-when-checking-if-active.patch new file mode 100644 index 00000000000..97a2315cc9e --- /dev/null +++ b/queue-6.6/net-mlx5-fs-lock-fte-when-checking-if-active.patch @@ -0,0 +1,130 @@ +From c43cc80be75557d1ad70774b385d14fa48319785 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 20:35:23 +0200 +Subject: net/mlx5: fs, lock FTE when checking if active + +From: Mark Bloch + +[ Upstream commit 9ca314419930f9135727e39d77e66262d5f7bef6 ] + +The referenced commits introduced a two-step process for deleting FTEs: + +- Lock the FTE, delete it from hardware, set the hardware deletion function + to NULL and unlock the FTE. +- Lock the parent flow group, delete the software copy of the FTE, and + remove it from the xarray. + +However, this approach encounters a race condition if a rule with the same +match value is added simultaneously. In this scenario, fs_core may set the +hardware deletion function to NULL prematurely, causing a panic during +subsequent rule deletions. + +To prevent this, ensure the active flag of the FTE is checked under a lock, +which will prevent the fs_core layer from attaching a new steering rule to +an FTE that is in the process of deletion. + +[ 438.967589] MOSHE: 2496 mlx5_del_flow_rules del_hw_func +[ 438.968205] ------------[ cut here ]------------ +[ 438.968654] refcount_t: decrement hit 0; leaking memory. +[ 438.969249] WARNING: CPU: 0 PID: 8957 at lib/refcount.c:31 refcount_warn_saturate+0xfb/0x110 +[ 438.970054] Modules linked in: act_mirred cls_flower act_gact sch_ingress openvswitch nsh mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core zram zsmalloc fuse [last unloaded: cls_flower] +[ 438.973288] CPU: 0 UID: 0 PID: 8957 Comm: tc Not tainted 6.12.0-rc1+ #8 +[ 438.973888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[ 438.974874] RIP: 0010:refcount_warn_saturate+0xfb/0x110 +[ 438.975363] Code: 40 66 3b 82 c6 05 16 e9 4d 01 01 e8 1f 7c a0 ff 0f 0b c3 cc cc cc cc 48 c7 c7 10 66 3b 82 c6 05 fd e8 4d 01 01 e8 05 7c a0 ff <0f> 0b c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 +[ 438.976947] RSP: 0018:ffff888124a53610 EFLAGS: 00010286 +[ 438.977446] RAX: 0000000000000000 RBX: ffff888119d56de0 RCX: 0000000000000000 +[ 438.978090] RDX: ffff88852c828700 RSI: ffff88852c81b3c0 RDI: ffff88852c81b3c0 +[ 438.978721] RBP: ffff888120fa0e88 R08: 0000000000000000 R09: ffff888124a534b0 +[ 438.979353] R10: 0000000000000001 R11: 0000000000000001 R12: ffff888119d56de0 +[ 438.979979] R13: ffff888120fa0ec0 R14: ffff888120fa0ee8 R15: ffff888119d56de0 +[ 438.980607] FS: 00007fe6dcc0f800(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000 +[ 438.983984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 438.984544] CR2: 00000000004275e0 CR3: 0000000186982001 CR4: 0000000000372eb0 +[ 438.985205] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 438.985842] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 438.986507] Call Trace: +[ 438.986799] +[ 438.987070] ? __warn+0x7d/0x110 +[ 438.987426] ? refcount_warn_saturate+0xfb/0x110 +[ 438.987877] ? report_bug+0x17d/0x190 +[ 438.988261] ? prb_read_valid+0x17/0x20 +[ 438.988659] ? handle_bug+0x53/0x90 +[ 438.989054] ? exc_invalid_op+0x14/0x70 +[ 438.989458] ? asm_exc_invalid_op+0x16/0x20 +[ 438.989883] ? refcount_warn_saturate+0xfb/0x110 +[ 438.990348] mlx5_del_flow_rules+0x2f7/0x340 [mlx5_core] +[ 438.990932] __mlx5_eswitch_del_rule+0x49/0x170 [mlx5_core] +[ 438.991519] ? mlx5_lag_is_sriov+0x3c/0x50 [mlx5_core] +[ 438.992054] ? xas_load+0x9/0xb0 +[ 438.992407] mlx5e_tc_rule_unoffload+0x45/0xe0 [mlx5_core] +[ 438.993037] mlx5e_tc_del_fdb_flow+0x2a6/0x2e0 [mlx5_core] +[ 438.993623] mlx5e_flow_put+0x29/0x60 [mlx5_core] +[ 438.994161] mlx5e_delete_flower+0x261/0x390 [mlx5_core] +[ 438.994728] tc_setup_cb_destroy+0xb9/0x190 +[ 438.995150] fl_hw_destroy_filter+0x94/0xc0 [cls_flower] +[ 438.995650] fl_change+0x11a4/0x13c0 [cls_flower] +[ 438.996105] tc_new_tfilter+0x347/0xbc0 +[ 438.996503] ? ___slab_alloc+0x70/0x8c0 +[ 438.996929] rtnetlink_rcv_msg+0xf9/0x3e0 +[ 438.997339] ? __netlink_sendskb+0x4c/0x70 +[ 438.997751] ? netlink_unicast+0x286/0x2d0 +[ 438.998171] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 +[ 438.998625] netlink_rcv_skb+0x54/0x100 +[ 438.999020] netlink_unicast+0x203/0x2d0 +[ 438.999421] netlink_sendmsg+0x1e4/0x420 +[ 438.999820] __sock_sendmsg+0xa1/0xb0 +[ 439.000203] ____sys_sendmsg+0x207/0x2a0 +[ 439.000600] ? copy_msghdr_from_user+0x6d/0xa0 +[ 439.001072] ___sys_sendmsg+0x80/0xc0 +[ 439.001459] ? ___sys_recvmsg+0x8b/0xc0 +[ 439.001848] ? generic_update_time+0x4d/0x60 +[ 439.002282] __sys_sendmsg+0x51/0x90 +[ 439.002658] do_syscall_64+0x50/0x110 +[ 439.003040] entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Fixes: 718ce4d601db ("net/mlx5: Consolidate update FTE for all removal changes") +Fixes: cefc23554fc2 ("net/mlx5: Fix FTE cleanup") +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20241107183527.676877-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index e2f7cecce6f1a..991250f44c2ed 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1946,13 +1946,22 @@ lookup_fte_locked(struct mlx5_flow_group *g, + fte_tmp = NULL; + goto out; + } ++ ++ nested_down_write_ref_node(&fte_tmp->node, FS_LOCK_CHILD); ++ + if (!fte_tmp->node.active) { ++ up_write_ref_node(&fte_tmp->node, false); ++ ++ if (take_write) ++ up_write_ref_node(&g->node, false); ++ else ++ up_read_ref_node(&g->node); ++ + tree_put_node(&fte_tmp->node, false); +- fte_tmp = NULL; +- goto out; ++ ++ return NULL; + } + +- nested_down_write_ref_node(&fte_tmp->node, FS_LOCK_CHILD); + out: + if (take_write) + up_write_ref_node(&g->node, false); +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-clear-xdp-features-on-non-uplink-represent.patch b/queue-6.6/net-mlx5e-clear-xdp-features-on-non-uplink-represent.patch new file mode 100644 index 00000000000..befd5789239 --- /dev/null +++ b/queue-6.6/net-mlx5e-clear-xdp-features-on-non-uplink-represent.patch @@ -0,0 +1,59 @@ +From 8ee14b950591ff7d4e931637b9806296e4862ac5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 20:35:25 +0200 +Subject: net/mlx5e: clear xdp features on non-uplink representors + +From: William Tu + +[ Upstream commit c079389878debf767dc4e52fe877b9117258dfe2 ] + +Non-uplink representor port does not support XDP. The patch clears +the xdp feature by checking the net_device_ops.ndo_bpf is set or not. + +Verify using the netlink tool: +$ tools/net/ynl/cli.py --spec Documentation/netlink/specs/netdev.yaml --dump dev-get + +Representor netdev before the patch: +{'ifindex': 8, + 'xdp-features': {'basic', + 'ndo-xmit', + 'ndo-xmit-sg', + 'redirect', + 'rx-sg', + 'xsk-zerocopy'}, + 'xdp-rx-metadata-features': set(), + 'xdp-zc-max-segs': 1, + 'xsk-features': set()}, +With the patch: + {'ifindex': 8, + 'xdp-features': set(), + 'xdp-rx-metadata-features': set(), + 'xsk-features': set()}, + +Fixes: 4d5ab0ad964d ("net/mlx5e: take into account device reconfiguration for xdp_features flag") +Signed-off-by: William Tu +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20241107183527.676877-6-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index a65c407aa60bd..6e431f587c233 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4067,7 +4067,8 @@ void mlx5e_set_xdp_feature(struct net_device *netdev) + struct mlx5e_params *params = &priv->channels.params; + xdp_features_t val; + +- if (params->packet_merge.type != MLX5E_PACKET_MERGE_NONE) { ++ if (!netdev->netdev_ops->ndo_bpf || ++ params->packet_merge.type != MLX5E_PACKET_MERGE_NONE) { + xdp_clear_features_flag(netdev); + return; + } +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-ct-fix-null-ptr-deref-in-add-rule-err-flow.patch b/queue-6.6/net-mlx5e-ct-fix-null-ptr-deref-in-add-rule-err-flow.patch new file mode 100644 index 00000000000..fe1a7657a13 --- /dev/null +++ b/queue-6.6/net-mlx5e-ct-fix-null-ptr-deref-in-add-rule-err-flow.patch @@ -0,0 +1,71 @@ +From beeb0a124a229811ab38dc62c18b9c789c8c3d81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 20:35:26 +0200 +Subject: net/mlx5e: CT: Fix null-ptr-deref in add rule err flow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Moshe Shemesh + +[ Upstream commit e99c6873229fe0482e7ceb7d5600e32d623ed9d9 ] + +In error flow of mlx5_tc_ct_entry_add_rule(), in case ct_rule_add() +callback returns error, zone_rule->attr is used uninitiated. Fix it to +use attr which has the needed pointer value. + +Kernel log: + BUG: kernel NULL pointer dereference, address: 0000000000000110 + RIP: 0010:mlx5_tc_ct_entry_add_rule+0x2b1/0x2f0 [mlx5_core] +… + Call Trace: + + ? __die+0x20/0x70 + ? page_fault_oops+0x150/0x3e0 + ? exc_page_fault+0x74/0x140 + ? asm_exc_page_fault+0x22/0x30 + ? mlx5_tc_ct_entry_add_rule+0x2b1/0x2f0 [mlx5_core] + ? mlx5_tc_ct_entry_add_rule+0x1d5/0x2f0 [mlx5_core] + mlx5_tc_ct_block_flow_offload+0xc6a/0xf90 [mlx5_core] + ? nf_flow_offload_tuple+0xd8/0x190 [nf_flow_table] + nf_flow_offload_tuple+0xd8/0x190 [nf_flow_table] + flow_offload_work_handler+0x142/0x320 [nf_flow_table] + ? finish_task_switch.isra.0+0x15b/0x2b0 + process_one_work+0x16c/0x320 + worker_thread+0x28c/0x3a0 + ? __pfx_worker_thread+0x10/0x10 + kthread+0xb8/0xf0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x2d/0x50 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + + +Fixes: 7fac5c2eced3 ("net/mlx5: CT: Avoid reusing modify header context for natted entries") +Signed-off-by: Moshe Shemesh +Reviewed-by: Cosmin Ratiu +Reviewed-by: Yevgeny Kliteynik +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20241107183527.676877-7-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +index 8c4e3ecef5901..65cee5c6f1dd6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +@@ -854,7 +854,7 @@ mlx5_tc_ct_entry_add_rule(struct mlx5_tc_ct_priv *ct_priv, + return 0; + + err_rule: +- mlx5_tc_ct_entry_destroy_mod_hdr(ct_priv, zone_rule->attr, zone_rule->mh); ++ mlx5_tc_ct_entry_destroy_mod_hdr(ct_priv, attr, zone_rule->mh); + mlx5_put_label_mapping(ct_priv, attr->ct_attr.ct_labels_id); + err_mod_hdr: + kfree(attr); +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-ktls-fix-incorrect-page-refcounting.patch b/queue-6.6/net-mlx5e-ktls-fix-incorrect-page-refcounting.patch new file mode 100644 index 00000000000..0b2edeed9ce --- /dev/null +++ b/queue-6.6/net-mlx5e-ktls-fix-incorrect-page-refcounting.patch @@ -0,0 +1,72 @@ +From 4d3ecd5d9acae64d4945f9dddf90b60cbe7b74d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 20:35:24 +0200 +Subject: net/mlx5e: kTLS, Fix incorrect page refcounting + +From: Dragos Tatulea + +[ Upstream commit dd6e972cc5890d91d6749bb48e3912721c4e4b25 ] + +The kTLS tx handling code is using a mix of get_page() and +page_ref_inc() APIs to increment the page reference. But on the release +path (mlx5e_ktls_tx_handle_resync_dump_comp()), only put_page() is used. + +This is an issue when using pages from large folios: the get_page() +references are stored on the folio page while the page_ref_inc() +references are stored directly in the given page. On release the folio +page will be dereferenced too many times. + +This was found while doing kTLS testing with sendfile() + ZC when the +served file was read from NFS on a kernel with NFS large folios support +(commit 49b29a573da8 ("nfs: add support for large folios")). + +Fixes: 84d1bb2b139e ("net/mlx5e: kTLS, Limit DUMP wqe size") +Signed-off-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20241107183527.676877-5-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c +index d61be26a4df1a..3db31cc107192 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c +@@ -660,7 +660,7 @@ tx_sync_info_get(struct mlx5e_ktls_offload_context_tx *priv_tx, + while (remaining > 0) { + skb_frag_t *frag = &record->frags[i]; + +- get_page(skb_frag_page(frag)); ++ page_ref_inc(skb_frag_page(frag)); + remaining -= skb_frag_size(frag); + info->frags[i++] = *frag; + } +@@ -763,7 +763,7 @@ void mlx5e_ktls_tx_handle_resync_dump_comp(struct mlx5e_txqsq *sq, + stats = sq->stats; + + mlx5e_tx_dma_unmap(sq->pdev, dma); +- put_page(wi->resync_dump_frag_page); ++ page_ref_dec(wi->resync_dump_frag_page); + stats->tls_dump_packets++; + stats->tls_dump_bytes += wi->num_bytes; + } +@@ -816,12 +816,12 @@ mlx5e_ktls_tx_handle_ooo(struct mlx5e_ktls_offload_context_tx *priv_tx, + + err_out: + for (; i < info.nr_frags; i++) +- /* The put_page() here undoes the page ref obtained in tx_sync_info_get(). ++ /* The page_ref_dec() here undoes the page ref obtained in tx_sync_info_get(). + * Page refs obtained for the DUMP WQEs above (by page_ref_add) will be + * released only upon their completions (or in mlx5e_free_txqsq_descs, + * if channel closes). + */ +- put_page(skb_frag_page(&info.frags[i])); ++ page_ref_dec(skb_frag_page(&info.frags[i])); + + return MLX5E_KTLS_SYNC_FAIL; + } +-- +2.43.0 + diff --git a/queue-6.6/net-sched-cls_u32-fix-u32-s-systematic-failure-to-fr.patch b/queue-6.6/net-sched-cls_u32-fix-u32-s-systematic-failure-to-fr.patch new file mode 100644 index 00000000000..98b168c1785 --- /dev/null +++ b/queue-6.6/net-sched-cls_u32-fix-u32-s-systematic-failure-to-fr.patch @@ -0,0 +1,101 @@ +From bfb5bca0457e6c2a272228614430e367b545a729 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Nov 2024 18:28:36 +0100 +Subject: net: sched: cls_u32: Fix u32's systematic failure to free IDR entries + for hnodes. + +From: Alexandre Ferrieux + +[ Upstream commit 73af53d82076bbe184d9ece9e14b0dc8599e6055 ] + +To generate hnode handles (in gen_new_htid()), u32 uses IDR and +encodes the returned small integer into a structured 32-bit +word. Unfortunately, at disposal time, the needed decoding +is not done. As a result, idr_remove() fails, and the IDR +fills up. Since its size is 2048, the following script ends up +with "Filter already exists": + + tc filter add dev myve $FILTER1 + tc filter add dev myve $FILTER2 + for i in {1..2048} + do + echo $i + tc filter del dev myve $FILTER2 + tc filter add dev myve $FILTER2 + done + +This patch adds the missing decoding logic for handles that +deserve it. + +Fixes: e7614370d6f0 ("net_sched: use idr to allocate u32 filter handles") +Reviewed-by: Eric Dumazet +Acked-by: Jamal Hadi Salim +Signed-off-by: Alexandre Ferrieux +Tested-by: Victor Nogueira +Link: https://patch.msgid.link/20241110172836.331319-1-alexandre.ferrieux@orange.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index b3531f458adaf..67f27be138487 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -92,6 +92,16 @@ struct tc_u_common { + long knodes; + }; + ++static u32 handle2id(u32 h) ++{ ++ return ((h & 0x80000000) ? ((h >> 20) & 0x7FF) : h); ++} ++ ++static u32 id2handle(u32 id) ++{ ++ return (id | 0x800U) << 20; ++} ++ + static inline unsigned int u32_hash_fold(__be32 key, + const struct tc_u32_sel *sel, + u8 fshift) +@@ -310,7 +320,7 @@ static u32 gen_new_htid(struct tc_u_common *tp_c, struct tc_u_hnode *ptr) + int id = idr_alloc_cyclic(&tp_c->handle_idr, ptr, 1, 0x7FF, GFP_KERNEL); + if (id < 0) + return 0; +- return (id | 0x800U) << 20; ++ return id2handle(id); + } + + static struct hlist_head *tc_u_common_hash; +@@ -360,7 +370,7 @@ static int u32_init(struct tcf_proto *tp) + return -ENOBUFS; + + refcount_set(&root_ht->refcnt, 1); +- root_ht->handle = tp_c ? gen_new_htid(tp_c, root_ht) : 0x80000000; ++ root_ht->handle = tp_c ? gen_new_htid(tp_c, root_ht) : id2handle(0); + root_ht->prio = tp->prio; + root_ht->is_root = true; + idr_init(&root_ht->handle_idr); +@@ -612,7 +622,7 @@ static int u32_destroy_hnode(struct tcf_proto *tp, struct tc_u_hnode *ht, + if (phn == ht) { + u32_clear_hw_hnode(tp, ht, extack); + idr_destroy(&ht->handle_idr); +- idr_remove(&tp_c->handle_idr, ht->handle); ++ idr_remove(&tp_c->handle_idr, handle2id(ht->handle)); + RCU_INIT_POINTER(*hn, ht->next); + kfree_rcu(ht, rcu); + return 0; +@@ -989,7 +999,7 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + + err = u32_replace_hw_hnode(tp, ht, userflags, extack); + if (err) { +- idr_remove(&tp_c->handle_idr, handle); ++ idr_remove(&tp_c->handle_idr, handle2id(handle)); + kfree(ht); + return err; + } +-- +2.43.0 + diff --git a/queue-6.6/net-sched-cls_u32-replace-int-refcounts-with-proper-.patch b/queue-6.6/net-sched-cls_u32-replace-int-refcounts-with-proper-.patch new file mode 100644 index 00000000000..7a97ad56c47 --- /dev/null +++ b/queue-6.6/net-sched-cls_u32-replace-int-refcounts-with-proper-.patch @@ -0,0 +1,200 @@ +From b40f65f4ac00a32f631edd6879be949581ab0559 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 11:18:55 -0300 +Subject: net/sched: cls_u32: replace int refcounts with proper refcounts + +From: Pedro Tammela + +[ Upstream commit 6b78debe1c07e6aa3c91ca0b1384bf3cb8217c50 ] + +Proper refcounts will always warn splat when something goes wrong, +be it underflow, saturation or object resurrection. As these are always +a source of bugs, use it in cls_u32 as a safeguard to prevent/catch issues. +Another benefit is that the refcount API self documents the code, making +clear when transitions to dead are expected. + +For such an update we had to make minor adaptations on u32 to fit the refcount +API. First we set explicitly to '1' when objects are created, then the +objects are alive until a 1 -> 0 happens, which is then released appropriately. + +The above made clear some redundant operations in the u32 code +around the root_ht handling that were removed. The root_ht is created +with a refcnt set to 1. Then when it's associated with tcf_proto it increments the refcnt to 2. +Throughout the entire code the root_ht is an exceptional case and can never be referenced, +therefore the refcnt never incremented/decremented. +Its lifetime is always bound to tcf_proto, meaning if you delete tcf_proto +the root_ht is deleted as well. The code made up for the fact that root_ht refcnt is 2 and did +a double decrement to free it, which is not a fit for the refcount API. + +Even though refcount_t is implemented using atomics, we should observe +a negligible control plane impact. + +Signed-off-by: Pedro Tammela +Acked-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20231114141856.974326-2-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 73af53d82076 ("net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes.") +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 6663e971a13e7..b3531f458adaf 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -71,7 +71,7 @@ struct tc_u_hnode { + struct tc_u_hnode __rcu *next; + u32 handle; + u32 prio; +- int refcnt; ++ refcount_t refcnt; + unsigned int divisor; + struct idr handle_idr; + bool is_root; +@@ -86,7 +86,7 @@ struct tc_u_hnode { + struct tc_u_common { + struct tc_u_hnode __rcu *hlist; + void *ptr; +- int refcnt; ++ refcount_t refcnt; + struct idr handle_idr; + struct hlist_node hnode; + long knodes; +@@ -359,7 +359,7 @@ static int u32_init(struct tcf_proto *tp) + if (root_ht == NULL) + return -ENOBUFS; + +- root_ht->refcnt++; ++ refcount_set(&root_ht->refcnt, 1); + root_ht->handle = tp_c ? gen_new_htid(tp_c, root_ht) : 0x80000000; + root_ht->prio = tp->prio; + root_ht->is_root = true; +@@ -371,18 +371,20 @@ static int u32_init(struct tcf_proto *tp) + kfree(root_ht); + return -ENOBUFS; + } ++ refcount_set(&tp_c->refcnt, 1); + tp_c->ptr = key; + INIT_HLIST_NODE(&tp_c->hnode); + idr_init(&tp_c->handle_idr); + + hlist_add_head(&tp_c->hnode, tc_u_hash(key)); ++ } else { ++ refcount_inc(&tp_c->refcnt); + } + +- tp_c->refcnt++; + RCU_INIT_POINTER(root_ht->next, tp_c->hlist); + rcu_assign_pointer(tp_c->hlist, root_ht); + +- root_ht->refcnt++; ++ /* root_ht must be destroyed when tcf_proto is destroyed */ + rcu_assign_pointer(tp->root, root_ht); + tp->data = tp_c; + return 0; +@@ -393,7 +395,7 @@ static void __u32_destroy_key(struct tc_u_knode *n) + struct tc_u_hnode *ht = rtnl_dereference(n->ht_down); + + tcf_exts_destroy(&n->exts); +- if (ht && --ht->refcnt == 0) ++ if (ht && refcount_dec_and_test(&ht->refcnt)) + kfree(ht); + kfree(n); + } +@@ -601,8 +603,6 @@ static int u32_destroy_hnode(struct tcf_proto *tp, struct tc_u_hnode *ht, + struct tc_u_hnode __rcu **hn; + struct tc_u_hnode *phn; + +- WARN_ON(--ht->refcnt); +- + u32_clear_hnode(tp, ht, extack); + + hn = &tp_c->hlist; +@@ -630,10 +630,10 @@ static void u32_destroy(struct tcf_proto *tp, bool rtnl_held, + + WARN_ON(root_ht == NULL); + +- if (root_ht && --root_ht->refcnt == 1) ++ if (root_ht && refcount_dec_and_test(&root_ht->refcnt)) + u32_destroy_hnode(tp, root_ht, extack); + +- if (--tp_c->refcnt == 0) { ++ if (refcount_dec_and_test(&tp_c->refcnt)) { + struct tc_u_hnode *ht; + + hlist_del(&tp_c->hnode); +@@ -645,7 +645,7 @@ static void u32_destroy(struct tcf_proto *tp, bool rtnl_held, + /* u32_destroy_key() will later free ht for us, if it's + * still referenced by some knode + */ +- if (--ht->refcnt == 0) ++ if (refcount_dec_and_test(&ht->refcnt)) + kfree_rcu(ht, rcu); + } + +@@ -674,7 +674,7 @@ static int u32_delete(struct tcf_proto *tp, void *arg, bool *last, + return -EINVAL; + } + +- if (ht->refcnt == 1) { ++ if (refcount_dec_if_one(&ht->refcnt)) { + u32_destroy_hnode(tp, ht, extack); + } else { + NL_SET_ERR_MSG_MOD(extack, "Can not delete in-use filter"); +@@ -682,7 +682,7 @@ static int u32_delete(struct tcf_proto *tp, void *arg, bool *last, + } + + out: +- *last = tp_c->refcnt == 1 && tp_c->knodes == 0; ++ *last = refcount_read(&tp_c->refcnt) == 1 && tp_c->knodes == 0; + return ret; + } + +@@ -766,14 +766,14 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, + NL_SET_ERR_MSG_MOD(extack, "Not linking to root node"); + return -EINVAL; + } +- ht_down->refcnt++; ++ refcount_inc(&ht_down->refcnt); + } + + ht_old = rtnl_dereference(n->ht_down); + rcu_assign_pointer(n->ht_down, ht_down); + + if (ht_old) +- ht_old->refcnt--; ++ refcount_dec(&ht_old->refcnt); + } + + if (ifindex >= 0) +@@ -852,7 +852,7 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp, + + /* bump reference count as long as we hold pointer to structure */ + if (ht) +- ht->refcnt++; ++ refcount_inc(&ht->refcnt); + + return new; + } +@@ -932,7 +932,7 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + + ht_old = rtnl_dereference(n->ht_down); + if (ht_old) +- ht_old->refcnt++; ++ refcount_inc(&ht_old->refcnt); + } + __u32_destroy_key(new); + return err; +@@ -980,7 +980,7 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + return err; + } + } +- ht->refcnt = 1; ++ refcount_set(&ht->refcnt, 1); + ht->divisor = divisor; + ht->handle = handle; + ht->prio = tp->prio; +-- +2.43.0 + diff --git a/queue-6.6/net-stmmac-dwmac-intel-plat-use-devm_stmmac_probe_co.patch b/queue-6.6/net-stmmac-dwmac-intel-plat-use-devm_stmmac_probe_co.patch new file mode 100644 index 00000000000..8eeeaf1a971 --- /dev/null +++ b/queue-6.6/net-stmmac-dwmac-intel-plat-use-devm_stmmac_probe_co.patch @@ -0,0 +1,107 @@ +From 5a82ccf359960a8383584de2f023950eb663a53e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Sep 2023 15:58:13 +0800 +Subject: net: stmmac: dwmac-intel-plat: use devm_stmmac_probe_config_dt() + +From: Jisheng Zhang + +[ Upstream commit abea8fd5e801a679312479b2bf00d7b4285eca78 ] + +Simplify the driver's probe() function by using the devres +variant of stmmac_probe_config_dt(). + +The calling of stmmac_pltfr_remove() now needs to be switched to +stmmac_pltfr_remove_no_dt(). + +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Stable-dep-of: 5b366eae7193 ("stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines") +Signed-off-by: Sasha Levin +--- + .../stmicro/stmmac/dwmac-intel-plat.c | 27 +++++++------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c +index d352a14f9d483..d1aec2ca2b429 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c +@@ -85,17 +85,15 @@ static int intel_eth_plat_probe(struct platform_device *pdev) + if (ret) + return ret; + +- plat_dat = stmmac_probe_config_dt(pdev, stmmac_res.mac); ++ plat_dat = devm_stmmac_probe_config_dt(pdev, stmmac_res.mac); + if (IS_ERR(plat_dat)) { + dev_err(&pdev->dev, "dt configuration failed\n"); + return PTR_ERR(plat_dat); + } + + dwmac = devm_kzalloc(&pdev->dev, sizeof(*dwmac), GFP_KERNEL); +- if (!dwmac) { +- ret = -ENOMEM; +- goto err_remove_config_dt; +- } ++ if (!dwmac) ++ return -ENOMEM; + + dwmac->dev = &pdev->dev; + dwmac->tx_clk = NULL; +@@ -110,10 +108,8 @@ static int intel_eth_plat_probe(struct platform_device *pdev) + /* Enable TX clock */ + if (dwmac->data->tx_clk_en) { + dwmac->tx_clk = devm_clk_get(&pdev->dev, "tx_clk"); +- if (IS_ERR(dwmac->tx_clk)) { +- ret = PTR_ERR(dwmac->tx_clk); +- goto err_remove_config_dt; +- } ++ if (IS_ERR(dwmac->tx_clk)) ++ return PTR_ERR(dwmac->tx_clk); + + clk_prepare_enable(dwmac->tx_clk); + +@@ -126,7 +122,7 @@ static int intel_eth_plat_probe(struct platform_device *pdev) + if (ret) { + dev_err(&pdev->dev, + "Failed to set tx_clk\n"); +- goto err_remove_config_dt; ++ return ret; + } + } + } +@@ -140,7 +136,7 @@ static int intel_eth_plat_probe(struct platform_device *pdev) + if (ret) { + dev_err(&pdev->dev, + "Failed to set clk_ptp_ref\n"); +- goto err_remove_config_dt; ++ return ret; + } + } + } +@@ -158,22 +154,17 @@ static int intel_eth_plat_probe(struct platform_device *pdev) + ret = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res); + if (ret) { + clk_disable_unprepare(dwmac->tx_clk); +- goto err_remove_config_dt; ++ return ret; + } + + return 0; +- +-err_remove_config_dt: +- stmmac_remove_config_dt(pdev, plat_dat); +- +- return ret; + } + + static void intel_eth_plat_remove(struct platform_device *pdev) + { + struct intel_dwmac *dwmac = get_stmmac_bsp_priv(&pdev->dev); + +- stmmac_pltfr_remove(pdev); ++ stmmac_pltfr_remove_no_dt(pdev); + clk_disable_unprepare(dwmac->tx_clk); + } + +-- +2.43.0 + diff --git a/queue-6.6/net-stmmac-dwmac-mediatek-fix-inverted-handling-of-m.patch b/queue-6.6/net-stmmac-dwmac-mediatek-fix-inverted-handling-of-m.patch new file mode 100644 index 00000000000..407aad19fcd --- /dev/null +++ b/queue-6.6/net-stmmac-dwmac-mediatek-fix-inverted-handling-of-m.patch @@ -0,0 +1,46 @@ +From 739929fe8cb45d724af6df559c561a0b935acb40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Nov 2024 10:16:32 -0500 +Subject: net: stmmac: dwmac-mediatek: Fix inverted handling of + mediatek,mac-wol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit a03b18a71c128846360cc81ac6fdb0e7d41597b4 ] + +The mediatek,mac-wol property is being handled backwards to what is +described in the binding: it currently enables PHY WOL when the property +is present and vice versa. Invert the driver logic so it matches the +binding description. + +Fixes: fd1d62d80ebc ("net: stmmac: replace the use_phy_wol field with a flag") +Signed-off-by: Nícolas F. R. A. Prado +Link: https://patch.msgid.link/20241109-mediatek-mac-wol-noninverted-v2-1-0e264e213878@collabora.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-mediatek.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-mediatek.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-mediatek.c +index cd796ec04132d..634ea6b33ea3c 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-mediatek.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-mediatek.c +@@ -589,9 +589,9 @@ static int mediatek_dwmac_common_data(struct platform_device *pdev, + + plat->mac_interface = priv_plat->phy_mode; + if (priv_plat->mac_wol) +- plat->flags |= STMMAC_FLAG_USE_PHY_WOL; +- else + plat->flags &= ~STMMAC_FLAG_USE_PHY_WOL; ++ else ++ plat->flags |= STMMAC_FLAG_USE_PHY_WOL; + plat->riwt_off = 1; + plat->maxmtu = ETH_DATA_LEN; + plat->host_dma_width = priv_plat->variant->dma_bit_mask; +-- +2.43.0 + diff --git a/queue-6.6/net-stmmac-dwmac-visconti-use-devm_stmmac_probe_conf.patch b/queue-6.6/net-stmmac-dwmac-visconti-use-devm_stmmac_probe_conf.patch new file mode 100644 index 00000000000..84fbe636ee2 --- /dev/null +++ b/queue-6.6/net-stmmac-dwmac-visconti-use-devm_stmmac_probe_conf.patch @@ -0,0 +1,82 @@ +From eb5f0d16d3cf1fec6c249b2c3e909ab88beaef6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Sep 2023 15:58:27 +0800 +Subject: net: stmmac: dwmac-visconti: use devm_stmmac_probe_config_dt() + +From: Jisheng Zhang + +[ Upstream commit d336a117b593e96559c309bb250f06b4fc22998f ] + +Simplify the driver's probe() function by using the devres +variant of stmmac_probe_config_dt(). + +The calling of stmmac_pltfr_remove() now needs to be switched to +stmmac_pltfr_remove_no_dt(). + +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Stable-dep-of: 5b366eae7193 ("stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines") +Signed-off-by: Sasha Levin +--- + .../ethernet/stmicro/stmmac/dwmac-visconti.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c +index 22d113fb8e09c..45f5d66a11c26 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c +@@ -220,15 +220,13 @@ static int visconti_eth_dwmac_probe(struct platform_device *pdev) + if (ret) + return ret; + +- plat_dat = stmmac_probe_config_dt(pdev, stmmac_res.mac); ++ plat_dat = devm_stmmac_probe_config_dt(pdev, stmmac_res.mac); + if (IS_ERR(plat_dat)) + return PTR_ERR(plat_dat); + + dwmac = devm_kzalloc(&pdev->dev, sizeof(*dwmac), GFP_KERNEL); +- if (!dwmac) { +- ret = -ENOMEM; +- goto remove_config; +- } ++ if (!dwmac) ++ return -ENOMEM; + + spin_lock_init(&dwmac->lock); + dwmac->reg = stmmac_res.addr; +@@ -238,7 +236,7 @@ static int visconti_eth_dwmac_probe(struct platform_device *pdev) + + ret = visconti_eth_clock_probe(pdev, plat_dat); + if (ret) +- goto remove_config; ++ return ret; + + visconti_eth_init_hw(pdev, plat_dat); + +@@ -252,22 +250,15 @@ static int visconti_eth_dwmac_probe(struct platform_device *pdev) + + remove: + visconti_eth_clock_remove(pdev); +-remove_config: +- stmmac_remove_config_dt(pdev, plat_dat); + + return ret; + } + + static void visconti_eth_dwmac_remove(struct platform_device *pdev) + { +- struct net_device *ndev = platform_get_drvdata(pdev); +- struct stmmac_priv *priv = netdev_priv(ndev); +- +- stmmac_pltfr_remove(pdev); ++ stmmac_pltfr_remove_no_dt(pdev); + + visconti_eth_clock_remove(pdev); +- +- stmmac_remove_config_dt(pdev, priv->plat); + } + + static const struct of_device_id visconti_eth_dwmac_match[] = { +-- +2.43.0 + diff --git a/queue-6.6/net-stmmac-rename-stmmac_pltfr_remove_no_dt-to-stmma.patch b/queue-6.6/net-stmmac-rename-stmmac_pltfr_remove_no_dt-to-stmma.patch new file mode 100644 index 00000000000..d4194707f9f --- /dev/null +++ b/queue-6.6/net-stmmac-rename-stmmac_pltfr_remove_no_dt-to-stmma.patch @@ -0,0 +1,118 @@ +From edcdd770166ae54ba1e60b490d99712523e80c70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Sep 2023 15:58:28 +0800 +Subject: net: stmmac: rename stmmac_pltfr_remove_no_dt to stmmac_pltfr_remove + +From: Jisheng Zhang + +[ Upstream commit 2c9fc838067b02cb3e6057fef5cd7cf1c04a95aa ] + +Now, all users of the old stmmac_pltfr_remove() are converted to the +devres helper, it's time to rename stmmac_pltfr_remove_no_dt() back to +stmmac_pltfr_remove() and remove the old stmmac_pltfr_remove(). + +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Stable-dep-of: 5b366eae7193 ("stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines") +Signed-off-by: Sasha Levin +--- + .../stmicro/stmmac/dwmac-intel-plat.c | 2 +- + .../ethernet/stmicro/stmmac/dwmac-visconti.c | 3 +-- + .../ethernet/stmicro/stmmac/stmmac_platform.c | 23 +++---------------- + .../ethernet/stmicro/stmmac/stmmac_platform.h | 1 - + 4 files changed, 5 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c +index d1aec2ca2b429..70edc5232379f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c +@@ -164,7 +164,7 @@ static void intel_eth_plat_remove(struct platform_device *pdev) + { + struct intel_dwmac *dwmac = get_stmmac_bsp_priv(&pdev->dev); + +- stmmac_pltfr_remove_no_dt(pdev); ++ stmmac_pltfr_remove(pdev); + clk_disable_unprepare(dwmac->tx_clk); + } + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c +index 45f5d66a11c26..a5a5cfa989c6e 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c +@@ -256,8 +256,7 @@ static int visconti_eth_dwmac_probe(struct platform_device *pdev) + + static void visconti_eth_dwmac_remove(struct platform_device *pdev) + { +- stmmac_pltfr_remove_no_dt(pdev); +- ++ stmmac_pltfr_remove(pdev); + visconti_eth_clock_remove(pdev); + } + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index 30d5e635190e6..b4fdd40be63cb 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -810,7 +810,7 @@ static void devm_stmmac_pltfr_remove(void *data) + { + struct platform_device *pdev = data; + +- stmmac_pltfr_remove_no_dt(pdev); ++ stmmac_pltfr_remove(pdev); + } + + /** +@@ -837,12 +837,12 @@ int devm_stmmac_pltfr_probe(struct platform_device *pdev, + EXPORT_SYMBOL_GPL(devm_stmmac_pltfr_probe); + + /** +- * stmmac_pltfr_remove_no_dt ++ * stmmac_pltfr_remove + * @pdev: pointer to the platform device + * Description: This undoes the effects of stmmac_pltfr_probe() by removing the + * driver and calling the platform's exit() callback. + */ +-void stmmac_pltfr_remove_no_dt(struct platform_device *pdev) ++void stmmac_pltfr_remove(struct platform_device *pdev) + { + struct net_device *ndev = platform_get_drvdata(pdev); + struct stmmac_priv *priv = netdev_priv(ndev); +@@ -851,23 +851,6 @@ void stmmac_pltfr_remove_no_dt(struct platform_device *pdev) + stmmac_dvr_remove(&pdev->dev); + stmmac_pltfr_exit(pdev, plat); + } +-EXPORT_SYMBOL_GPL(stmmac_pltfr_remove_no_dt); +- +-/** +- * stmmac_pltfr_remove +- * @pdev: platform device pointer +- * Description: this function calls the main to free the net resources +- * and calls the platforms hook and release the resources (e.g. mem). +- */ +-void stmmac_pltfr_remove(struct platform_device *pdev) +-{ +- struct net_device *ndev = platform_get_drvdata(pdev); +- struct stmmac_priv *priv = netdev_priv(ndev); +- struct plat_stmmacenet_data *plat = priv->plat; +- +- stmmac_pltfr_remove_no_dt(pdev); +- stmmac_remove_config_dt(pdev, plat); +-} + EXPORT_SYMBOL_GPL(stmmac_pltfr_remove); + + /** +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h +index c5565b2a70acc..bb07a99e1248b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h +@@ -32,7 +32,6 @@ int stmmac_pltfr_probe(struct platform_device *pdev, + int devm_stmmac_pltfr_probe(struct platform_device *pdev, + struct plat_stmmacenet_data *plat, + struct stmmac_resources *res); +-void stmmac_pltfr_remove_no_dt(struct platform_device *pdev); + void stmmac_pltfr_remove(struct platform_device *pdev); + extern const struct dev_pm_ops stmmac_pltfr_pm_ops; + +-- +2.43.0 + diff --git a/queue-6.6/net-ti-icssg-prueth-fix-1-pps-sync.patch b/queue-6.6/net-ti-icssg-prueth-fix-1-pps-sync.patch new file mode 100644 index 00000000000..c19183d97dd --- /dev/null +++ b/queue-6.6/net-ti-icssg-prueth-fix-1-pps-sync.patch @@ -0,0 +1,93 @@ +From a6233c70d6a0c1ed43fc3ee1b94ded2ba96aeafb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2024 15:28:42 +0530 +Subject: net: ti: icssg-prueth: Fix 1 PPS sync + +From: Meghana Malladi + +[ Upstream commit dc065076ee7768377d7c16af7d1b0767782d8c98 ] + +The first PPS latch time needs to be calculated by the driver +(in rounded off seconds) and configured as the start time +offset for the cycle. After synchronizing two PTP clocks +running as master/slave, missing this would cause master +and slave to start immediately with some milliseconds +drift which causes the PPS signal to never synchronize with +the PTP master. + +Fixes: 186734c15886 ("net: ti: icssg-prueth: add packet timestamping and ptp support") +Signed-off-by: Meghana Malladi +Reviewed-by: Vadim Fedorenko +Reviewed-by: MD Danish Anwar +Link: https://patch.msgid.link/20241111095842.478833-1-m-malladi@ti.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/icssg/icssg_prueth.c | 13 +++++++++++-- + drivers/net/ethernet/ti/icssg/icssg_prueth.h | 12 ++++++++++++ + 2 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/icssg/icssg_prueth.c b/drivers/net/ethernet/ti/icssg/icssg_prueth.c +index fb120baee5532..7efb3e347c042 100644 +--- a/drivers/net/ethernet/ti/icssg/icssg_prueth.c ++++ b/drivers/net/ethernet/ti/icssg/icssg_prueth.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1245,6 +1246,8 @@ static int prueth_perout_enable(void *clockops_data, + struct prueth_emac *emac = clockops_data; + u32 reduction_factor = 0, offset = 0; + struct timespec64 ts; ++ u64 current_cycle; ++ u64 start_offset; + u64 ns_period; + + if (!on) +@@ -1283,8 +1286,14 @@ static int prueth_perout_enable(void *clockops_data, + writel(reduction_factor, emac->prueth->shram.va + + TIMESYNC_FW_WC_SYNCOUT_REDUCTION_FACTOR_OFFSET); + +- writel(0, emac->prueth->shram.va + +- TIMESYNC_FW_WC_SYNCOUT_START_TIME_CYCLECOUNT_OFFSET); ++ current_cycle = icssg_read_time(emac->prueth->shram.va + ++ TIMESYNC_FW_WC_CYCLECOUNT_OFFSET); ++ ++ /* Rounding of current_cycle count to next second */ ++ start_offset = roundup(current_cycle, MSEC_PER_SEC); ++ ++ hi_lo_writeq(start_offset, emac->prueth->shram.va + ++ TIMESYNC_FW_WC_SYNCOUT_START_TIME_CYCLECOUNT_OFFSET); + + return 0; + } +diff --git a/drivers/net/ethernet/ti/icssg/icssg_prueth.h b/drivers/net/ethernet/ti/icssg/icssg_prueth.h +index 3fe80a8758d30..0713ad7897b68 100644 +--- a/drivers/net/ethernet/ti/icssg/icssg_prueth.h ++++ b/drivers/net/ethernet/ti/icssg/icssg_prueth.h +@@ -257,6 +257,18 @@ static inline int prueth_emac_slice(struct prueth_emac *emac) + + extern const struct ethtool_ops icssg_ethtool_ops; + ++static inline u64 icssg_read_time(const void __iomem *addr) ++{ ++ u32 low, high; ++ ++ do { ++ high = readl(addr + 4); ++ low = readl(addr); ++ } while (high != readl(addr + 4)); ++ ++ return low + ((u64)high << 32); ++} ++ + /* Classifier helpers */ + void icssg_class_set_mac_addr(struct regmap *miig_rt, int slice, u8 *mac); + void icssg_class_set_host_mac_addr(struct regmap *miig_rt, const u8 *mac); +-- +2.43.0 + diff --git a/queue-6.6/net-vertexcom-mse102x-fix-tx_bytes-calculation.patch b/queue-6.6/net-vertexcom-mse102x-fix-tx_bytes-calculation.patch new file mode 100644 index 00000000000..35d40126aae --- /dev/null +++ b/queue-6.6/net-vertexcom-mse102x-fix-tx_bytes-calculation.patch @@ -0,0 +1,46 @@ +From f64d5806dde939d9715088a6b97b8580a18877af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2024 12:43:43 +0100 +Subject: net: vertexcom: mse102x: Fix tx_bytes calculation + +From: Stefan Wahren + +[ Upstream commit e68da664d379f352d41d7955712c44e0a738e4ab ] + +The tx_bytes should consider the actual size of the Ethernet frames +without the SPI encapsulation. But we still need to take care of +Ethernet padding. + +Fixes: 2f207cbf0dd4 ("net: vertexcom: Add MSE102x SPI support") +Signed-off-by: Stefan Wahren +Link: https://patch.msgid.link/20241108114343.6174-3-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/vertexcom/mse102x.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/vertexcom/mse102x.c b/drivers/net/ethernet/vertexcom/mse102x.c +index dd766e175f7db..8f67c39f479ee 100644 +--- a/drivers/net/ethernet/vertexcom/mse102x.c ++++ b/drivers/net/ethernet/vertexcom/mse102x.c +@@ -437,13 +437,15 @@ static void mse102x_tx_work(struct work_struct *work) + mse = &mses->mse102x; + + while ((txb = skb_dequeue(&mse->txq))) { ++ unsigned int len = max_t(unsigned int, txb->len, ETH_ZLEN); ++ + mutex_lock(&mses->lock); + ret = mse102x_tx_pkt_spi(mse, txb, work_timeout); + mutex_unlock(&mses->lock); + if (ret) { + mse->ndev->stats.tx_dropped++; + } else { +- mse->ndev->stats.tx_bytes += txb->len; ++ mse->ndev->stats.tx_bytes += len; + mse->ndev->stats.tx_packets++; + } + +-- +2.43.0 + diff --git a/queue-6.6/netlink-terminate-outstanding-dump-on-socket-close.patch b/queue-6.6/netlink-terminate-outstanding-dump-on-socket-close.patch new file mode 100644 index 00000000000..07b7bb54e7c --- /dev/null +++ b/queue-6.6/netlink-terminate-outstanding-dump-on-socket-close.patch @@ -0,0 +1,142 @@ +From 149ee523aaa7d79559ed421790ab4ebf6f5d0e77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2024 17:52:34 -0800 +Subject: netlink: terminate outstanding dump on socket close + +From: Jakub Kicinski + +[ Upstream commit 1904fb9ebf911441f90a68e96b22aa73e4410505 ] + +Netlink supports iterative dumping of data. It provides the families +the following ops: + - start - (optional) kicks off the dumping process + - dump - actual dump helper, keeps getting called until it returns 0 + - done - (optional) pairs with .start, can be used for cleanup +The whole process is asynchronous and the repeated calls to .dump +don't actually happen in a tight loop, but rather are triggered +in response to recvmsg() on the socket. + +This gives the user full control over the dump, but also means that +the user can close the socket without getting to the end of the dump. +To make sure .start is always paired with .done we check if there +is an ongoing dump before freeing the socket, and if so call .done. + +The complication is that sockets can get freed from BH and .done +is allowed to sleep. So we use a workqueue to defer the call, when +needed. + +Unfortunately this does not work correctly. What we defer is not +the cleanup but rather releasing a reference on the socket. +We have no guarantee that we own the last reference, if someone +else holds the socket they may release it in BH and we're back +to square one. + +The whole dance, however, appears to be unnecessary. Only the user +can interact with dumps, so we can clean up when socket is closed. +And close always happens in process context. Some async code may +still access the socket after close, queue notification skbs to it etc. +but no dumps can start, end or otherwise make progress. + +Delete the workqueue and flush the dump state directly from the release +handler. Note that further cleanup is possible in -next, for instance +we now always call .done before releasing the main module reference, +so dump doesn't have to take a reference of its own. + +Reported-by: syzkaller +Fixes: ed5d7788a934 ("netlink: Do not schedule work from sk_destruct") +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241106015235.2458807-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 31 ++++++++----------------------- + net/netlink/af_netlink.h | 2 -- + 2 files changed, 8 insertions(+), 25 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 50e13207a05aa..4aa2cbe9d6fa6 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -393,15 +393,6 @@ static void netlink_skb_set_owner_r(struct sk_buff *skb, struct sock *sk) + + static void netlink_sock_destruct(struct sock *sk) + { +- struct netlink_sock *nlk = nlk_sk(sk); +- +- if (nlk->cb_running) { +- if (nlk->cb.done) +- nlk->cb.done(&nlk->cb); +- module_put(nlk->cb.module); +- kfree_skb(nlk->cb.skb); +- } +- + skb_queue_purge(&sk->sk_receive_queue); + + if (!sock_flag(sk, SOCK_DEAD)) { +@@ -414,14 +405,6 @@ static void netlink_sock_destruct(struct sock *sk) + WARN_ON(nlk_sk(sk)->groups); + } + +-static void netlink_sock_destruct_work(struct work_struct *work) +-{ +- struct netlink_sock *nlk = container_of(work, struct netlink_sock, +- work); +- +- sk_free(&nlk->sk); +-} +- + /* This lock without WQ_FLAG_EXCLUSIVE is good on UP and it is _very_ bad on + * SMP. Look, when several writers sleep and reader wakes them up, all but one + * immediately hit write lock and grab all the cpus. Exclusive sleep solves +@@ -735,12 +718,6 @@ static void deferred_put_nlk_sk(struct rcu_head *head) + if (!refcount_dec_and_test(&sk->sk_refcnt)) + return; + +- if (nlk->cb_running && nlk->cb.done) { +- INIT_WORK(&nlk->work, netlink_sock_destruct_work); +- schedule_work(&nlk->work); +- return; +- } +- + sk_free(sk); + } + +@@ -792,6 +769,14 @@ static int netlink_release(struct socket *sock) + NETLINK_URELEASE, &n); + } + ++ /* Terminate any outstanding dump */ ++ if (nlk->cb_running) { ++ if (nlk->cb.done) ++ nlk->cb.done(&nlk->cb); ++ module_put(nlk->cb.module); ++ kfree_skb(nlk->cb.skb); ++ } ++ + module_put(nlk->module); + + if (netlink_is_kernel(sk)) { +diff --git a/net/netlink/af_netlink.h b/net/netlink/af_netlink.h +index 9751e29d4bbb9..b1a17c0d97a10 100644 +--- a/net/netlink/af_netlink.h ++++ b/net/netlink/af_netlink.h +@@ -4,7 +4,6 @@ + + #include + #include +-#include + #include + + /* flags */ +@@ -51,7 +50,6 @@ struct netlink_sock { + + struct rhash_head node; + struct rcu_head rcu; +- struct work_struct work; + }; + + static inline struct netlink_sock *nlk_sk(struct sock *sk) +-- +2.43.0 + diff --git a/queue-6.6/revert-rdma-core-fix-enodev-error-for-iwarp-test-ove.patch b/queue-6.6/revert-rdma-core-fix-enodev-error-for-iwarp-test-ove.patch new file mode 100644 index 00000000000..1f7348e51cb --- /dev/null +++ b/queue-6.6/revert-rdma-core-fix-enodev-error-for-iwarp-test-ove.patch @@ -0,0 +1,54 @@ +From 5493e7f88192bc971e84926cbb551295a4dd78a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2024 10:56:26 +0200 +Subject: Revert "RDMA/core: Fix ENODEV error for iWARP test over vlan" + +From: Leon Romanovsky + +[ Upstream commit 6abe2a90808192a5a8b2825293e5f10e80fdea56 ] + +The citied commit in Fixes line caused to regression for udaddy [1] +application. It doesn't work over VLANs anymore. + +Client: + ifconfig eth2 1.1.1.1 + ip link add link eth2 name p0.3597 type vlan protocol 802.1Q id 3597 + ip link set dev p0.3597 up + ip addr add 2.2.2.2/16 dev p0.3597 + udaddy -S 847 -C 220 -c 2 -t 0 -s 2.2.2.3 -b 2.2.2.2 + +Server: + ifconfig eth2 1.1.1.3 + ip link add link eth2 name p0.3597 type vlan protocol 802.1Q id 3597 + ip link set dev p0.3597 up + ip addr add 2.2.2.3/16 dev p0.3597 + udaddy -S 847 -C 220 -c 2 -t 0 -b 2.2.2.3 + +[1] https://github.com/linux-rdma/rdma-core/blob/master/librdmacm/examples/udaddy.c + +Fixes: 5069d7e202f6 ("RDMA/core: Fix ENODEV error for iWARP test over vlan") +Reported-by: Leon Romanovsky +Closes: https://lore.kernel.org/all/20241110130746.GA48891@unreal +Link: https://patch.msgid.link/bb9d403419b2b9566da5b8bf0761fa8377927e49.1731401658.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/addr.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c +index fd78d678877c4..f253295795f0a 100644 +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -269,8 +269,6 @@ rdma_find_ndev_for_src_ip_rcu(struct net *net, const struct sockaddr *src_in) + break; + #endif + } +- if (!ret && dev && is_vlan_dev(dev)) +- dev = vlan_dev_real_dev(dev); + return ret ? ERR_PTR(ret) : dev; + } + +-- +2.43.0 + diff --git a/queue-6.6/samples-pktgen-correct-dev-to-dev.patch b/queue-6.6/samples-pktgen-correct-dev-to-dev.patch new file mode 100644 index 00000000000..be1893f2c9e --- /dev/null +++ b/queue-6.6/samples-pktgen-correct-dev-to-dev.patch @@ -0,0 +1,40 @@ +From cb2400708495e00528c65e43cf6e6f4eb0df949a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2024 11:03:47 +0800 +Subject: samples: pktgen: correct dev to DEV + +From: Wei Fang + +[ Upstream commit 3342dc8b4623d835e7dd76a15cec2e5a94fe2f93 ] + +In the pktgen_sample01_simple.sh script, the device variable is uppercase +'DEV' instead of lowercase 'dev'. Because of this typo, the script cannot +enable UDP tx checksum. + +Fixes: 460a9aa23de6 ("samples: pktgen: add UDP tx checksum support") +Signed-off-by: Wei Fang +Reviewed-by: Simon Horman +Acked-by: Jesper Dangaard Brouer +Link: https://patch.msgid.link/20241112030347.1849335-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + samples/pktgen/pktgen_sample01_simple.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/pktgen/pktgen_sample01_simple.sh b/samples/pktgen/pktgen_sample01_simple.sh +index cdb9f497f87da..66cb707479e6c 100755 +--- a/samples/pktgen/pktgen_sample01_simple.sh ++++ b/samples/pktgen/pktgen_sample01_simple.sh +@@ -76,7 +76,7 @@ if [ -n "$DST_PORT" ]; then + pg_set $DEV "udp_dst_max $UDP_DST_MAX" + fi + +-[ ! -z "$UDP_CSUM" ] && pg_set $dev "flag UDPCSUM" ++[ ! -z "$UDP_CSUM" ] && pg_set $DEV "flag UDPCSUM" + + # Setup random UDP port src range + pg_set $DEV "flag UDPSRC_RND" +-- +2.43.0 + diff --git a/queue-6.6/sctp-fix-possible-uaf-in-sctp_v6_available.patch b/queue-6.6/sctp-fix-possible-uaf-in-sctp_v6_available.patch new file mode 100644 index 00000000000..e58c2d43b3c --- /dev/null +++ b/queue-6.6/sctp-fix-possible-uaf-in-sctp_v6_available.patch @@ -0,0 +1,140 @@ +From f181c3f5b520f35f83bff8be854a955d1bad5fa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 19:20:21 +0000 +Subject: sctp: fix possible UAF in sctp_v6_available() + +From: Eric Dumazet + +[ Upstream commit eb72e7fcc83987d5d5595b43222f23b295d5de7f ] + +A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints +that sctp_v6_available() is calling dev_get_by_index_rcu() +and ipv6_chk_addr() without holding rcu. + +[1] + ============================= + WARNING: suspicious RCU usage + 6.12.0-rc5-virtme #1216 Tainted: G W + ----------------------------- + net/core/dev.c:876 RCU-list traversed in non-reader section!! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 + 1 lock held by sctp_hello/31495: + #0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp + +stack backtrace: + CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G W 6.12.0-rc5-virtme #1216 + Tainted: [W]=WARN + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + Call Trace: + + dump_stack_lvl (lib/dump_stack.c:123) + lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) + dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7)) + sctp_v6_available (net/sctp/ipv6.c:701) sctp + sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp + sctp_bind (net/sctp/socket.c:320) sctp + inet6_bind_sk (net/ipv6/af_inet6.c:465) + ? security_socket_bind (security/security.c:4581 (discriminator 1)) + __sys_bind (net/socket.c:1848 net/socket.c:1869) + ? do_user_addr_fault (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 ./include/linux/mm.h:729 arch/x86/mm/fault.c:1340) + ? do_user_addr_fault (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:98 (discriminator 13) ./include/linux/rcupdate.h:882 (discriminator 13) ./include/linux/mm.h:729 (discriminator 13) arch/x86/mm/fault.c:1340 (discriminator 13)) + __x64_sys_bind (net/socket.c:1877 (discriminator 1) net/socket.c:1875 (discriminator 1) net/socket.c:1875 (discriminator 1)) + do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + RIP: 0033:0x7f59b934a1e7 + Code: 44 00 00 48 8b 15 39 8c 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 8c 0c 00 f7 d8 64 89 01 48 +All code +======== + 0: 44 00 00 add %r8b,(%rax) + 3: 48 8b 15 39 8c 0c 00 mov 0xc8c39(%rip),%rdx # 0xc8c43 + a: f7 d8 neg %eax + c: 64 89 02 mov %eax,%fs:(%rdx) + f: b8 ff ff ff ff mov $0xffffffff,%eax + 14: eb bd jmp 0xffffffffffffffd3 + 16: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) + 1d: 00 00 00 + 20: 0f 1f 00 nopl (%rax) + 23: b8 31 00 00 00 mov $0x31,%eax + 28: 0f 05 syscall + 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction + 30: 73 01 jae 0x33 + 32: c3 ret + 33: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c43 + 3a: f7 d8 neg %eax + 3c: 64 89 01 mov %eax,%fs:(%rcx) + 3f: 48 rex.W + +Code starting with the faulting instruction +=========================================== + 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax + 6: 73 01 jae 0x9 + 8: c3 ret + 9: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c19 + 10: f7 d8 neg %eax + 12: 64 89 01 mov %eax,%fs:(%rcx) + 15: 48 rex.W + RSP: 002b:00007ffe2d0ad398 EFLAGS: 00000202 ORIG_RAX: 0000000000000031 + RAX: ffffffffffffffda RBX: 00007ffe2d0ad3d0 RCX: 00007f59b934a1e7 + RDX: 000000000000001c RSI: 00007ffe2d0ad3d0 RDI: 0000000000000005 + RBP: 0000000000000005 R08: 1999999999999999 R09: 0000000000000000 + R10: 00007f59b9253298 R11: 0000000000000202 R12: 00007ffe2d0ada61 + R13: 0000000000000000 R14: 0000562926516dd8 R15: 00007f59b9479000 + + +Fixes: 6fe1e52490a9 ("sctp: check ipv6 addr with sk_bound_dev if set") +Signed-off-by: Eric Dumazet +Cc: Marcelo Ricardo Leitner +Acked-by: Xin Long +Link: https://patch.msgid.link/20241107192021.2579789-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/ipv6.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 43f2731bf590e..08acda9ecdf56 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -684,7 +684,7 @@ static int sctp_v6_available(union sctp_addr *addr, struct sctp_sock *sp) + struct sock *sk = &sp->inet.sk; + struct net *net = sock_net(sk); + struct net_device *dev = NULL; +- int type; ++ int type, res, bound_dev_if; + + type = ipv6_addr_type(in6); + if (IPV6_ADDR_ANY == type) +@@ -698,14 +698,21 @@ static int sctp_v6_available(union sctp_addr *addr, struct sctp_sock *sp) + if (!(type & IPV6_ADDR_UNICAST)) + return 0; + +- if (sk->sk_bound_dev_if) { +- dev = dev_get_by_index_rcu(net, sk->sk_bound_dev_if); ++ rcu_read_lock(); ++ bound_dev_if = READ_ONCE(sk->sk_bound_dev_if); ++ if (bound_dev_if) { ++ res = 0; ++ dev = dev_get_by_index_rcu(net, bound_dev_if); + if (!dev) +- return 0; ++ goto out; + } + +- return ipv6_can_nonlocal_bind(net, &sp->inet) || +- ipv6_chk_addr(net, in6, dev, 0); ++ res = ipv6_can_nonlocal_bind(net, &sp->inet) || ++ ipv6_chk_addr(net, in6, dev, 0); ++ ++out: ++ rcu_read_unlock(); ++ return res; + } + + /* This function checks if the address is a valid address to be used for +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 00000000000..457674f3934 --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,27 @@ +netlink-terminate-outstanding-dump-on-socket-close.patch +sctp-fix-possible-uaf-in-sctp_v6_available.patch +net-vertexcom-mse102x-fix-tx_bytes-calculation.patch +drm-rockchip-vop-fix-a-dereferenced-before-check-war.patch +mptcp-error-out-earlier-on-disconnect.patch +mptcp-cope-racing-subflow-creation-in-mptcp_rcv_spac.patch +net-mlx5-fs-lock-fte-when-checking-if-active.patch +net-mlx5e-ktls-fix-incorrect-page-refcounting.patch +net-mlx5e-clear-xdp-features-on-non-uplink-represent.patch +net-mlx5e-ct-fix-null-ptr-deref-in-add-rule-err-flow.patch +virtio-vsock-fix-accept_queue-memory-leak.patch +revert-rdma-core-fix-enodev-error-for-iwarp-test-ove.patch +bluetooth-hci_core-fix-calling-mgmt_device_connected.patch +bluetooth-btintel-direct-exception-event-to-bluetoot.patch +net-sched-cls_u32-replace-int-refcounts-with-proper-.patch +net-sched-cls_u32-fix-u32-s-systematic-failure-to-fr.patch +samples-pktgen-correct-dev-to-dev.patch +net-stmmac-dwmac-mediatek-fix-inverted-handling-of-m.patch +net-make-copy_safe_from_sockptr-match-documentation.patch +net-stmmac-dwmac-intel-plat-use-devm_stmmac_probe_co.patch +net-stmmac-dwmac-visconti-use-devm_stmmac_probe_conf.patch +net-stmmac-rename-stmmac_pltfr_remove_no_dt-to-stmma.patch +stmmac-dwmac-intel-plat-fix-call-balance-of-tx_clk-h.patch +net-ti-icssg-prueth-fix-1-pps-sync.patch +bonding-add-ns-target-multicast-address-to-slave-dev.patch +arm-9419-1-mm-fix-kernel-memory-mapping-for-xip-kern.patch +tools-mm-fix-compile-error.patch diff --git a/queue-6.6/stmmac-dwmac-intel-plat-fix-call-balance-of-tx_clk-h.patch b/queue-6.6/stmmac-dwmac-intel-plat-fix-call-balance-of-tx_clk-h.patch new file mode 100644 index 00000000000..d8481281642 --- /dev/null +++ b/queue-6.6/stmmac-dwmac-intel-plat-fix-call-balance-of-tx_clk-h.patch @@ -0,0 +1,96 @@ +From 4fb12be160d3876e33233e902e4318e0c5617e26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2024 20:33:34 +0300 +Subject: stmmac: dwmac-intel-plat: fix call balance of tx_clk handling + routines + +From: Vitalii Mordan + +[ Upstream commit 5b366eae71937ae7412365340b431064625f9617 ] + +If the clock dwmac->tx_clk was not enabled in intel_eth_plat_probe, +it should not be disabled in any path. + +Conversely, if it was enabled in intel_eth_plat_probe, it must be disabled +in all error paths to ensure proper cleanup. + +Found by Linux Verification Center (linuxtesting.org) with Klever. + +Fixes: 9efc9b2b04c7 ("net: stmmac: Add dwmac-intel-plat for GBE driver") +Signed-off-by: Vitalii Mordan +Link: https://patch.msgid.link/20241108173334.2973603-1-mordan@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../stmicro/stmmac/dwmac-intel-plat.c | 25 +++++++++++++------ + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c +index 70edc5232379f..134f6506df99a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c +@@ -111,7 +111,12 @@ static int intel_eth_plat_probe(struct platform_device *pdev) + if (IS_ERR(dwmac->tx_clk)) + return PTR_ERR(dwmac->tx_clk); + +- clk_prepare_enable(dwmac->tx_clk); ++ ret = clk_prepare_enable(dwmac->tx_clk); ++ if (ret) { ++ dev_err(&pdev->dev, ++ "Failed to enable tx_clk\n"); ++ return ret; ++ } + + /* Check and configure TX clock rate */ + rate = clk_get_rate(dwmac->tx_clk); +@@ -122,7 +127,7 @@ static int intel_eth_plat_probe(struct platform_device *pdev) + if (ret) { + dev_err(&pdev->dev, + "Failed to set tx_clk\n"); +- return ret; ++ goto err_tx_clk_disable; + } + } + } +@@ -136,7 +141,7 @@ static int intel_eth_plat_probe(struct platform_device *pdev) + if (ret) { + dev_err(&pdev->dev, + "Failed to set clk_ptp_ref\n"); +- return ret; ++ goto err_tx_clk_disable; + } + } + } +@@ -152,12 +157,15 @@ static int intel_eth_plat_probe(struct platform_device *pdev) + } + + ret = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res); +- if (ret) { +- clk_disable_unprepare(dwmac->tx_clk); +- return ret; +- } ++ if (ret) ++ goto err_tx_clk_disable; + + return 0; ++ ++err_tx_clk_disable: ++ if (dwmac->data->tx_clk_en) ++ clk_disable_unprepare(dwmac->tx_clk); ++ return ret; + } + + static void intel_eth_plat_remove(struct platform_device *pdev) +@@ -165,7 +173,8 @@ static void intel_eth_plat_remove(struct platform_device *pdev) + struct intel_dwmac *dwmac = get_stmmac_bsp_priv(&pdev->dev); + + stmmac_pltfr_remove(pdev); +- clk_disable_unprepare(dwmac->tx_clk); ++ if (dwmac->data->tx_clk_en) ++ clk_disable_unprepare(dwmac->tx_clk); + } + + static struct platform_driver intel_eth_plat_driver = { +-- +2.43.0 + diff --git a/queue-6.6/tools-mm-fix-compile-error.patch b/queue-6.6/tools-mm-fix-compile-error.patch new file mode 100644 index 00000000000..01cf22832d6 --- /dev/null +++ b/queue-6.6/tools-mm-fix-compile-error.patch @@ -0,0 +1,44 @@ +From 4c8957e68f510bd7bd4841c6f1faeb8663b2cefa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2024 19:16:55 +0200 +Subject: tools/mm: fix compile error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Motiejus JakÅ`tys + +[ Upstream commit a39326767c55c00c7c313333404cbcb502cce8fe ] + +Add a missing semicolon. + +Link: https://lkml.kernel.org/r/20241112171655.1662670-1-motiejus@jakstys.lt +Fixes: ece5897e5a10 ("tools/mm: -Werror fixes in page-types/slabinfo") +Signed-off-by: Motiejus JakÅ`tys +Closes: https://github.com/NixOS/nixpkgs/issues/355369 +Reviewed-by: SeongJae Park +Reviewed-by: Vishal Moola (Oracle) +Acked-by: Oleksandr Natalenko +Cc: Wladislav Wiebe +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/mm/page-types.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/mm/page-types.c b/tools/mm/page-types.c +index 2a4ca4dd2da80..69f00eab1b8c7 100644 +--- a/tools/mm/page-types.c ++++ b/tools/mm/page-types.c +@@ -421,7 +421,7 @@ static void show_page(unsigned long voffset, unsigned long offset, + if (opt_file) + printf("%lx\t", voffset); + if (opt_list_cgroup) +- printf("@%" PRIu64 "\t", cgroup) ++ printf("@%" PRIu64 "\t", cgroup); + if (opt_list_mapcnt) + printf("%" PRIu64 "\t", mapcnt); + +-- +2.43.0 + diff --git a/queue-6.6/virtio-vsock-fix-accept_queue-memory-leak.patch b/queue-6.6/virtio-vsock-fix-accept_queue-memory-leak.patch new file mode 100644 index 00000000000..c9cc565f66f --- /dev/null +++ b/queue-6.6/virtio-vsock-fix-accept_queue-memory-leak.patch @@ -0,0 +1,93 @@ +From a641a72f407230c0d247be4253991d747556897d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 21:46:12 +0100 +Subject: virtio/vsock: Fix accept_queue memory leak + +From: Michal Luczaj + +[ Upstream commit d7b0ff5a866724c3ad21f2628c22a63336deec3f ] + +As the final stages of socket destruction may be delayed, it is possible +that virtio_transport_recv_listen() will be called after the accept_queue +has been flushed, but before the SOCK_DONE flag has been set. As a result, +sockets enqueued after the flush would remain unremoved, leading to a +memory leak. + +vsock_release + __vsock_release + lock + virtio_transport_release + virtio_transport_close + schedule_delayed_work(close_work) + sk_shutdown = SHUTDOWN_MASK +(!) flush accept_queue + release + virtio_transport_recv_pkt + vsock_find_bound_socket + lock + if flag(SOCK_DONE) return + virtio_transport_recv_listen + child = vsock_create_connected + (!) vsock_enqueue_accept(child) + release +close_work + lock + virtio_transport_do_close + set_flag(SOCK_DONE) + virtio_transport_remove_sock + vsock_remove_sock + vsock_remove_bound + release + +Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during +socket destruction. + +unreferenced object 0xffff888109e3f800 (size 2040): + comm "kworker/5:2", pid 371, jiffies 4294940105 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ + backtrace (crc 9e5f4e84): + [] kmem_cache_alloc_noprof+0x2c1/0x360 + [] sk_prot_alloc+0x30/0x120 + [] sk_alloc+0x2c/0x4b0 + [] __vsock_create.constprop.0+0x2a/0x310 + [] virtio_transport_recv_pkt+0x4dc/0x9a0 + [] vsock_loopback_work+0xfd/0x140 + [] process_one_work+0x20c/0x570 + [] worker_thread+0x1bf/0x3a0 + [] kthread+0xdd/0x110 + [] ret_from_fork+0x2d/0x50 + [] ret_from_fork_asm+0x1a/0x30 + +Fixes: 3fe356d58efa ("vsock/virtio: discard packets only when socket is really closed") +Reviewed-by: Stefano Garzarella +Signed-off-by: Michal Luczaj +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 2a44505f4a223..43495820b64fb 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1314,6 +1314,14 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, + return -ENOMEM; + } + ++ /* __vsock_release() might have already flushed accept_queue. ++ * Subsequent enqueues would lead to a memory leak. ++ */ ++ if (sk->sk_shutdown == SHUTDOWN_MASK) { ++ virtio_transport_reset_no_sock(t, skb); ++ return -ESHUTDOWN; ++ } ++ + child = vsock_create_connected(sk); + if (!child) { + virtio_transport_reset_no_sock(t, skb); +-- +2.43.0 +