From: Sasha Levin Date: Sun, 11 Jun 2023 02:02:40 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.14.318~66 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4b15da5313e3d0811d7105db4d998db8ceb26f4a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/bluetooth-fix-l2cap_disconnect_req-deadlock.patch b/queue-5.4/bluetooth-fix-l2cap_disconnect_req-deadlock.patch new file mode 100644 index 00000000000..48189752328 --- /dev/null +++ b/queue-5.4/bluetooth-fix-l2cap_disconnect_req-deadlock.patch @@ -0,0 +1,61 @@ +From ea82d25730f0c55b5a9917d63ef58ed422d87c62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 03:44:56 +0000 +Subject: Bluetooth: Fix l2cap_disconnect_req deadlock + +From: Ying Hsu + +[ Upstream commit 02c5ea5246a44d6ffde0fddebfc1d56188052976 ] + +L2CAP assumes that the locks conn->chan_lock and chan->lock are +acquired in the order conn->chan_lock, chan->lock to avoid +potential deadlock. +For example, l2sock_shutdown acquires these locks in the order: + mutex_lock(&conn->chan_lock) + l2cap_chan_lock(chan) + +However, l2cap_disconnect_req acquires chan->lock in +l2cap_get_chan_by_scid first and then acquires conn->chan_lock +before calling l2cap_chan_del. This means that these locks are +acquired in unexpected order, which leads to potential deadlock: + l2cap_chan_lock(c) + mutex_lock(&conn->chan_lock) + +This patch releases chan->lock before acquiring the conn_chan_lock +to avoid the potential deadlock. + +Fixes: a2a9339e1c9d ("Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}") +Signed-off-by: Ying Hsu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 5f53e75d83024..6bbe0fd79d154 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4380,7 +4380,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + + chan->ops->set_shutdown(chan); + ++ l2cap_chan_unlock(chan); + mutex_lock(&conn->chan_lock); ++ l2cap_chan_lock(chan); + l2cap_chan_del(chan, ECONNRESET); + mutex_unlock(&conn->chan_lock); + +@@ -4419,7 +4421,9 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + return 0; + } + ++ l2cap_chan_unlock(chan); + mutex_lock(&conn->chan_lock); ++ l2cap_chan_lock(chan); + l2cap_chan_del(chan, 0); + mutex_unlock(&conn->chan_lock); + +-- +2.39.2 + diff --git a/queue-5.4/bluetooth-l2cap-add-missing-checks-for-invalid-dcid.patch b/queue-5.4/bluetooth-l2cap-add-missing-checks-for-invalid-dcid.patch new file mode 100644 index 00000000000..b4668384825 --- /dev/null +++ b/queue-5.4/bluetooth-l2cap-add-missing-checks-for-invalid-dcid.patch @@ -0,0 +1,53 @@ +From c54ff72f64728d4df4447ac0ccb3c6d7aeacbadb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Jun 2023 08:28:09 -0400 +Subject: Bluetooth: L2CAP: Add missing checks for invalid DCID + +From: Sungwoo Kim + +[ Upstream commit 75767213f3d9b97f63694d02260b6a49a2271876 ] + +When receiving a connect response we should make sure that the DCID is +within the valid range and that we don't already have another channel +allocated for the same DCID. +Missing checks may violate the specification (BLUETOOTH CORE SPECIFICATION +Version 5.4 | Vol 3, Part A, Page 1046). + +Fixes: 40624183c202 ("Bluetooth: L2CAP: Add missing checks for invalid LE DCID") +Signed-off-by: Sungwoo Kim +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 6bbe0fd79d154..e56863587ea2e 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4024,6 +4024,10 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, + result = __le16_to_cpu(rsp->result); + status = __le16_to_cpu(rsp->status); + ++ if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START || ++ dcid > L2CAP_CID_DYN_END)) ++ return -EPROTO; ++ + BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", + dcid, scid, result, status); + +@@ -4055,6 +4059,11 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, + + switch (result) { + case L2CAP_CR_SUCCESS: ++ if (__l2cap_get_chan_by_dcid(conn, dcid)) { ++ err = -EBADSLT; ++ break; ++ } ++ + l2cap_state_change(chan, BT_CONFIG); + chan->ident = 0; + chan->dcid = dcid; +-- +2.39.2 + diff --git a/queue-5.4/bnxt_en-query-default-vlan-before-vnic-setup-on-a-vf.patch b/queue-5.4/bnxt_en-query-default-vlan-before-vnic-setup-on-a-vf.patch new file mode 100644 index 00000000000..9339675e45e --- /dev/null +++ b/queue-5.4/bnxt_en-query-default-vlan-before-vnic-setup-on-a-vf.patch @@ -0,0 +1,51 @@ +From 9fd5d3d5b44a26bc2f23d38049b045bed1a7f780 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 00:54:06 -0700 +Subject: bnxt_en: Query default VLAN before VNIC setup on a VF + +From: Somnath Kotur + +[ Upstream commit 1a9e4f501bc6ff1b6ecb60df54fbf2b54db43bfe ] + +We need to call bnxt_hwrm_func_qcfg() on a VF to query the default +VLAN that may be setup by the PF. If a default VLAN is enabled, +the VF cannot support VLAN acceleration on the receive side and +the VNIC must be setup to strip out the default VLAN tag. If a +default VLAN is not enabled, the VF can support VLAN acceleration +on the receive side. The VNIC should be set up to strip or not +strip the VLAN based on the RX VLAN acceleration setting. + +Without this call to determine the default VLAN before calling +bnxt_setup_vnic(), the VNIC may not be set up correctly. For +example, bnxt_setup_vnic() may set up to strip the VLAN tag based +on stale default VLAN information. If RX VLAN acceleration is +not enabled, the VLAN tag will be incorrectly stripped and the +RX data path will not work correctly. + +Fixes: cf6645f8ebc6 ("bnxt_en: Add function for VF driver to query default VLAN.") +Reviewed-by: Pavan Chebbi +Signed-off-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 2c71e838fa3d8..7f85315744009 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -7781,6 +7781,9 @@ static int bnxt_init_chip(struct bnxt *bp, bool irq_re_init) + goto err_out; + } + ++ if (BNXT_VF(bp)) ++ bnxt_hwrm_func_qcfg(bp); ++ + rc = bnxt_setup_vnic(bp, 0); + if (rc) + goto err_out; +-- +2.39.2 + diff --git a/queue-5.4/lib-cpu_rmap-fix-potential-use-after-free-in-irq_cpu.patch b/queue-5.4/lib-cpu_rmap-fix-potential-use-after-free-in-irq_cpu.patch new file mode 100644 index 00000000000..68fee273070 --- /dev/null +++ b/queue-5.4/lib-cpu_rmap-fix-potential-use-after-free-in-irq_cpu.patch @@ -0,0 +1,40 @@ +From 3948ba13c45eaeb6ed660e675be95cfbaa8037aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 20:28:15 +0200 +Subject: lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release() + +From: Ben Hutchings + +[ Upstream commit 7c5d4801ecf0564c860033d89726b99723c55146 ] + +irq_cpu_rmap_release() calls cpu_rmap_put(), which may free the rmap. +So we need to clear the pointer to our glue structure in rmap before +doing that, not after. + +Fixes: 4e0473f1060a ("lib: cpu_rmap: Avoid use after free on rmap->obj array entries") +Signed-off-by: Ben Hutchings +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ZHo0vwquhOy3FaXc@decadent.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + lib/cpu_rmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/cpu_rmap.c b/lib/cpu_rmap.c +index 920403fa5b0de..51621fde0b488 100644 +--- a/lib/cpu_rmap.c ++++ b/lib/cpu_rmap.c +@@ -268,8 +268,8 @@ static void irq_cpu_rmap_release(struct kref *ref) + struct irq_glue *glue = + container_of(ref, struct irq_glue, notify.kref); + +- cpu_rmap_put(glue->rmap); + glue->rmap->obj[glue->index] = NULL; ++ cpu_rmap_put(glue->rmap); + kfree(glue); + } + +-- +2.39.2 + diff --git a/queue-5.4/neighbour-fix-unaligned-access-to-pneigh_entry.patch b/queue-5.4/neighbour-fix-unaligned-access-to-pneigh_entry.patch new file mode 100644 index 00000000000..bf9297390a4 --- /dev/null +++ b/queue-5.4/neighbour-fix-unaligned-access-to-pneigh_entry.patch @@ -0,0 +1,41 @@ +From 9582d609e5df9da30ae0cd73f194f1a247060c94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 09:54:32 +0800 +Subject: neighbour: fix unaligned access to pneigh_entry + +From: Qingfang DENG + +[ Upstream commit ed779fe4c9b5a20b4ab4fd6f3e19807445bb78c7 ] + +After the blamed commit, the member key is longer 4-byte aligned. On +platforms that do not support unaligned access, e.g., MIPS32R2 with +unaligned_action set to 1, this will trigger a crash when accessing +an IPv6 pneigh_entry, as the key is cast to an in6_addr pointer. + +Change the type of the key to u32 to make it aligned. + +Fixes: 62dd93181aaa ("[IPV6] NDISC: Set per-entry is_router flag in Proxy NA.") +Signed-off-by: Qingfang DENG +Link: https://lore.kernel.org/r/20230601015432.159066-1-dqfext@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/neighbour.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/neighbour.h b/include/net/neighbour.h +index 729bdf710b7e0..e595e944ebfc0 100644 +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -174,7 +174,7 @@ struct pneigh_entry { + struct net_device *dev; + u8 flags; + u8 protocol; +- u8 key[]; ++ u32 key[]; + }; + + /* +-- +2.39.2 + diff --git a/queue-5.4/neighbour-replace-zero-length-array-with-flexible-ar.patch b/queue-5.4/neighbour-replace-zero-length-array-with-flexible-ar.patch new file mode 100644 index 00000000000..b60181ed353 --- /dev/null +++ b/queue-5.4/neighbour-replace-zero-length-array-with-flexible-ar.patch @@ -0,0 +1,61 @@ +From 78a135f98aea15f1d691350feecfa458b58f43c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2020 19:05:02 -0600 +Subject: neighbour: Replace zero-length array with flexible-array member + +From: Gustavo A. R. Silva + +[ Upstream commit 08ca27d027c238ed3f9b9968d349cebde44d99a6 ] + +The current codebase makes use of the zero-length array language +extension to the C90 standard, but the preferred mechanism to declare +variable-length types such as these ones is a flexible array member[1][2], +introduced in C99: + +struct foo { + int stuff; + struct boo array[]; +}; + +By making use of the mechanism above, we will get a compiler warning +in case the flexible array does not occur last in the structure, which +will help us prevent some kind of undefined behavior bugs from being +inadvertently introduced[3] to the codebase from now on. + +Also, notice that, dynamic memory allocations won't be affected by +this change: + +"Flexible array members have incomplete type, and so the sizeof operator +may not be applied. As a quirk of the original implementation of +zero-length arrays, sizeof evaluates to zero."[1] + +This issue was found with the help of Coccinelle. + +[1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html +[2] https://github.com/KSPP/linux/issues/21 +[3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour") + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Stable-dep-of: ed779fe4c9b5 ("neighbour: fix unaligned access to pneigh_entry") +Signed-off-by: Sasha Levin +--- + include/net/neighbour.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/neighbour.h b/include/net/neighbour.h +index b6494e87c897c..729bdf710b7e0 100644 +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -174,7 +174,7 @@ struct pneigh_entry { + struct net_device *dev; + u8 flags; + u8 protocol; +- u8 key[0]; ++ u8 key[]; + }; + + /* +-- +2.39.2 + diff --git a/queue-5.4/net-dsa-lan9303-allow-vid-0-in-port_fdb_-add-del-met.patch b/queue-5.4/net-dsa-lan9303-allow-vid-0-in-port_fdb_-add-del-met.patch new file mode 100644 index 00000000000..55517497bc4 --- /dev/null +++ b/queue-5.4/net-dsa-lan9303-allow-vid-0-in-port_fdb_-add-del-met.patch @@ -0,0 +1,56 @@ +From 20775ba91a3b6e12fb20ea6f84b37432e32d090e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 16:38:26 +0200 +Subject: net: dsa: lan9303: allow vid != 0 in port_fdb_{add|del} methods + +From: Alexander Sverdlin + +[ Upstream commit 5a59a58ec25d44f853c26bdbfda47d73b3067435 ] + +LAN9303 doesn't associate FDB (ALR) entries with VLANs, it has just one +global Address Logic Resolution table [1]. + +Ignore VID in port_fdb_{add|del} methods, go on with the global table. This +is the same semantics as hellcreek or RZ/N1 implement. + +Visible symptoms: +LAN9303_MDIO 5b050000.ethernet-1:00: port 2 failed to delete 00:xx:xx:xx:xx:cf vid 1 from fdb: -2 +LAN9303_MDIO 5b050000.ethernet-1:00: port 2 failed to add 00:xx:xx:xx:xx:cf vid 1 to fdb: -95 + +[1] https://ww1.microchip.com/downloads/en/DeviceDoc/00002308A.pdf + +Fixes: 0620427ea0d6 ("net: dsa: lan9303: Add fdb/mdb manipulation") +Signed-off-by: Alexander Sverdlin +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20230531143826.477267-1-alexander.sverdlin@siemens.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lan9303-core.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c +index 625db92792dab..67f8faa22783e 100644 +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -1187,8 +1187,6 @@ static int lan9303_port_fdb_add(struct dsa_switch *ds, int port, + struct lan9303 *chip = ds->priv; + + dev_dbg(chip->dev, "%s(%d, %pM, %d)\n", __func__, port, addr, vid); +- if (vid) +- return -EOPNOTSUPP; + + return lan9303_alr_add_port(chip, addr, port, false); + } +@@ -1200,8 +1198,6 @@ static int lan9303_port_fdb_del(struct dsa_switch *ds, int port, + struct lan9303 *chip = ds->priv; + + dev_dbg(chip->dev, "%s(%d, %pM, %d)\n", __func__, port, addr, vid); +- if (vid) +- return -EOPNOTSUPP; + lan9303_alr_del_port(chip, addr, port); + + return 0; +-- +2.39.2 + diff --git a/queue-5.4/net-sched-fix-possible-refcount-leak-in-tc_chain_tmp.patch b/queue-5.4/net-sched-fix-possible-refcount-leak-in-tc_chain_tmp.patch new file mode 100644 index 00000000000..5408ea1beaf --- /dev/null +++ b/queue-5.4/net-sched-fix-possible-refcount-leak-in-tc_chain_tmp.patch @@ -0,0 +1,37 @@ +From 0520ecebf25c6ba05dc814676c921aba81a0d4de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 10:23:01 +0800 +Subject: net: sched: fix possible refcount leak in tc_chain_tmplt_add() + +From: Hangyu Hua + +[ Upstream commit 44f8baaf230c655c249467ca415b570deca8df77 ] + +try_module_get will be called in tcf_proto_lookup_ops. So module_put needs +to be called to drop the refcount if ops don't implement the required +function. + +Fixes: 9f407f1768d3 ("net: sched: introduce chain templates") +Signed-off-by: Hangyu Hua +Reviewed-by: Larysa Zaremba +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index 3e5b10bec0cf7..a4cf718bdb8a0 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -2732,6 +2732,7 @@ static int tc_chain_tmplt_add(struct tcf_chain *chain, struct net *net, + return PTR_ERR(ops); + if (!ops->tmplt_create || !ops->tmplt_destroy || !ops->tmplt_dump) { + NL_SET_ERR_MSG(extack, "Chain templates are not supported with specified classifier"); ++ module_put(ops->owner); + return -EOPNOTSUPP; + } + +-- +2.39.2 + diff --git a/queue-5.4/net-sched-move-rtm_tca_policy-declaration-to-include.patch b/queue-5.4/net-sched-move-rtm_tca_policy-declaration-to-include.patch new file mode 100644 index 00000000000..1f475566ad3 --- /dev/null +++ b/queue-5.4/net-sched-move-rtm_tca_policy-declaration-to-include.patch @@ -0,0 +1,54 @@ +From 2421b49db623c2f8ef2da14cb235022810688e83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 11:42:33 +0000 +Subject: net: sched: move rtm_tca_policy declaration to include file + +From: Eric Dumazet + +[ Upstream commit 886bc7d6ed3357975c5f1d3c784da96000d4bbb4 ] + +rtm_tca_policy is used from net/sched/sch_api.c and net/sched/cls_api.c, +thus should be declared in an include file. + +This fixes the following sparse warning: +net/sched/sch_api.c:1434:25: warning: symbol 'rtm_tca_policy' was not declared. Should it be static? + +Fixes: e331473fee3d ("net/sched: cls_api: add missing validation of netlink attributes") +Signed-off-by: Eric Dumazet +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/pkt_sched.h | 2 ++ + net/sched/cls_api.c | 2 -- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h +index d1585b54fb0bd..2d932834ed5bf 100644 +--- a/include/net/pkt_sched.h ++++ b/include/net/pkt_sched.h +@@ -124,6 +124,8 @@ static inline void qdisc_run(struct Qdisc *q) + } + } + ++extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1]; ++ + /* Calculate maximal size of packet seen by hard_start_xmit + routine of this device. + */ +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index 49777da9f2634..3e5b10bec0cf7 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -40,8 +40,6 @@ + #include + #include + +-extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1]; +- + /* The list of all installed classifier types */ + static LIST_HEAD(tcf_proto_base); + +-- +2.39.2 + diff --git a/queue-5.4/netfilter-conntrack-fix-null-pointer-dereference-in-.patch b/queue-5.4/netfilter-conntrack-fix-null-pointer-dereference-in-.patch new file mode 100644 index 00000000000..5a0924ab15c --- /dev/null +++ b/queue-5.4/netfilter-conntrack-fix-null-pointer-dereference-in-.patch @@ -0,0 +1,59 @@ +From d858b5f47fbcc963bb645fbdca30368f7f4444f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 12:25:26 +0200 +Subject: netfilter: conntrack: fix NULL pointer dereference in + nf_confirm_cthelper + +From: Tijs Van Buggenhout + +[ Upstream commit e1f543dc660b44618a1bd72ddb4ca0828a95f7ad ] + +An nf_conntrack_helper from nf_conn_help may become NULL after DNAT. + +Observed when TCP port 1720 (Q931_PORT), associated with h323 conntrack +helper, is DNAT'ed to another destination port (e.g. 1730), while +nfqueue is being used for final acceptance (e.g. snort). + +This happenned after transition from kernel 4.14 to 5.10.161. + +Workarounds: + * keep the same port (1720) in DNAT + * disable nfqueue + * disable/unload h323 NAT helper + +$ linux-5.10/scripts/decode_stacktrace.sh vmlinux < /tmp/kernel.log +BUG: kernel NULL pointer dereference, address: 0000000000000084 +[..] +RIP: 0010:nf_conntrack_update (net/netfilter/nf_conntrack_core.c:2080 net/netfilter/nf_conntrack_core.c:2134) nf_conntrack +[..] +nfqnl_reinject (net/netfilter/nfnetlink_queue.c:237) nfnetlink_queue +nfqnl_recv_verdict (net/netfilter/nfnetlink_queue.c:1230) nfnetlink_queue +nfnetlink_rcv_msg (net/netfilter/nfnetlink.c:241) nfnetlink +[..] + +Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again") +Signed-off-by: Tijs Van Buggenhout +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index d9b6f2001d006..fb1f12bb0ff2c 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1943,6 +1943,9 @@ static int nf_confirm_cthelper(struct sk_buff *skb, struct nf_conn *ct, + return 0; + + helper = rcu_dereference(help->helper); ++ if (!helper) ++ return 0; ++ + if (!(helper->flags & NF_CT_HELPER_F_USERSPACE)) + return 0; + +-- +2.39.2 + diff --git a/queue-5.4/netfilter-ipset-add-schedule-point-in-call_ad.patch b/queue-5.4/netfilter-ipset-add-schedule-point-in-call_ad.patch new file mode 100644 index 00000000000..f8d231d4e09 --- /dev/null +++ b/queue-5.4/netfilter-ipset-add-schedule-point-in-call_ad.patch @@ -0,0 +1,100 @@ +From 2a92208349cb4d4b33244b5a59d4b6f02c3a75e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 10:33:00 -0700 +Subject: netfilter: ipset: Add schedule point in call_ad(). + +From: Kuniyuki Iwashima + +[ Upstream commit 24e227896bbf003165e006732dccb3516f87f88e ] + +syzkaller found a repro that causes Hung Task [0] with ipset. The repro +first creates an ipset and then tries to delete a large number of IPs +from the ipset concurrently: + + IPSET_ATTR_IPADDR_IPV4 : 172.20.20.187 + IPSET_ATTR_CIDR : 2 + +The first deleting thread hogs a CPU with nfnl_lock(NFNL_SUBSYS_IPSET) +held, and other threads wait for it to be released. + +Previously, the same issue existed in set->variant->uadt() that could run +so long under ip_set_lock(set). Commit 5e29dc36bd5e ("netfilter: ipset: +Rework long task execution when adding/deleting entries") tried to fix it, +but the issue still exists in the caller with another mutex. + +While adding/deleting many IPs, we should release the CPU periodically to +prevent someone from abusing ipset to hang the system. + +Note we need to increment the ipset's refcnt to prevent the ipset from +being destroyed while rescheduling. + +[0]: +INFO: task syz-executor174:268 blocked for more than 143 seconds. + Not tainted 6.4.0-rc1-00145-gba79e9a73284 #1 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-executor174 state:D stack:0 pid:268 ppid:260 flags:0x0000000d +Call trace: + __switch_to+0x308/0x714 arch/arm64/kernel/process.c:556 + context_switch kernel/sched/core.c:5343 [inline] + __schedule+0xd84/0x1648 kernel/sched/core.c:6669 + schedule+0xf0/0x214 kernel/sched/core.c:6745 + schedule_preempt_disabled+0x58/0xf0 kernel/sched/core.c:6804 + __mutex_lock_common kernel/locking/mutex.c:679 [inline] + __mutex_lock+0x6fc/0xdb0 kernel/locking/mutex.c:747 + __mutex_lock_slowpath+0x14/0x20 kernel/locking/mutex.c:1035 + mutex_lock+0x98/0xf0 kernel/locking/mutex.c:286 + nfnl_lock net/netfilter/nfnetlink.c:98 [inline] + nfnetlink_rcv_msg+0x480/0x70c net/netfilter/nfnetlink.c:295 + netlink_rcv_skb+0x1c0/0x350 net/netlink/af_netlink.c:2546 + nfnetlink_rcv+0x18c/0x199c net/netfilter/nfnetlink.c:658 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x664/0x8cc net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x6d0/0xa4c net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg net/socket.c:747 [inline] + ____sys_sendmsg+0x4b8/0x810 net/socket.c:2503 + ___sys_sendmsg net/socket.c:2557 [inline] + __sys_sendmsg+0x1f8/0x2a4 net/socket.c:2586 + __do_sys_sendmsg net/socket.c:2595 [inline] + __se_sys_sendmsg net/socket.c:2593 [inline] + __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2593 + __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] + invoke_syscall+0x84/0x270 arch/arm64/kernel/syscall.c:52 + el0_svc_common+0x134/0x24c arch/arm64/kernel/syscall.c:142 + do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193 + el0_svc+0x2c/0x7c arch/arm64/kernel/entry-common.c:637 + el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 + el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 + +Reported-by: syzkaller +Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index 16ae770f049dd..e3c14f8890a89 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -1539,6 +1539,14 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set, + bool eexist = flags & IPSET_FLAG_EXIST, retried = false; + + do { ++ if (retried) { ++ __ip_set_get(set); ++ nfnl_unlock(NFNL_SUBSYS_IPSET); ++ cond_resched(); ++ nfnl_lock(NFNL_SUBSYS_IPSET); ++ __ip_set_put(set); ++ } ++ + ip_set_lock(set); + ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried); + ip_set_unlock(set); +-- +2.39.2 + diff --git a/queue-5.4/rfs-annotate-lockless-accesses-to-rfs-sock-flow-tabl.patch b/queue-5.4/rfs-annotate-lockless-accesses-to-rfs-sock-flow-tabl.patch new file mode 100644 index 00000000000..bd02078e329 --- /dev/null +++ b/queue-5.4/rfs-annotate-lockless-accesses-to-rfs-sock-flow-tabl.patch @@ -0,0 +1,67 @@ +From 5348c43620906607d91c8a5193ed60fa76a727aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 07:41:15 +0000 +Subject: rfs: annotate lockless accesses to RFS sock flow table + +From: Eric Dumazet + +[ Upstream commit 5c3b74a92aa285a3df722bf6329ba7ccf70346d6 ] + +Add READ_ONCE()/WRITE_ONCE() on accesses to the sock flow table. + +This also prevents a (smart ?) compiler to remove the condition in: + +if (table->ents[index] != newval) + table->ents[index] = newval; + +We need the condition to avoid dirtying a shared cache line. + +Fixes: fec5e652e58f ("rfs: Receive Flow Steering") +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 7 +++++-- + net/core/dev.c | 6 ++++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 125542f305fad..f6a5a866ea70b 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -732,8 +732,11 @@ static inline void rps_record_sock_flow(struct rps_sock_flow_table *table, + /* We only give a hint, preemption can change CPU under us */ + val |= raw_smp_processor_id(); + +- if (table->ents[index] != val) +- table->ents[index] = val; ++ /* The following WRITE_ONCE() is paired with the READ_ONCE() ++ * here, and another one in get_rps_cpu(). ++ */ ++ if (READ_ONCE(table->ents[index]) != val) ++ WRITE_ONCE(table->ents[index], val); + } + } + +diff --git a/net/core/dev.c b/net/core/dev.c +index 0cc0809628b08..92ae373475c9a 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4002,8 +4002,10 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb, + u32 next_cpu; + u32 ident; + +- /* First check into global flow table if there is a match */ +- ident = sock_flow_table->ents[hash & sock_flow_table->mask]; ++ /* First check into global flow table if there is a match. ++ * This READ_ONCE() pairs with WRITE_ONCE() from rps_record_sock_flow(). ++ */ ++ ident = READ_ONCE(sock_flow_table->ents[hash & sock_flow_table->mask]); + if ((ident ^ hash) & ~rps_cpu_mask) + goto try_rps; + +-- +2.39.2 + diff --git a/queue-5.4/rfs-annotate-lockless-accesses-to-sk-sk_rxhash.patch b/queue-5.4/rfs-annotate-lockless-accesses-to-sk-sk_rxhash.patch new file mode 100644 index 00000000000..31d74f55357 --- /dev/null +++ b/queue-5.4/rfs-annotate-lockless-accesses-to-sk-sk_rxhash.patch @@ -0,0 +1,73 @@ +From 8dd6671a96846400dc50c27adf4943869d0691ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 07:41:14 +0000 +Subject: rfs: annotate lockless accesses to sk->sk_rxhash + +From: Eric Dumazet + +[ Upstream commit 1e5c647c3f6d4f8497dedcd226204e1880e0ffb3 ] + +Add READ_ONCE()/WRITE_ONCE() on accesses to sk->sk_rxhash. + +This also prevents a (smart ?) compiler to remove the condition in: + +if (sk->sk_rxhash != newval) + sk->sk_rxhash = newval; + +We need the condition to avoid dirtying a shared cache line. + +Fixes: fec5e652e58f ("rfs: Receive Flow Steering") +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 06fdb8f207b69..87e57f81ee82b 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -997,8 +997,12 @@ static inline void sock_rps_record_flow(const struct sock *sk) + * OR an additional socket flag + * [1] : sk_state and sk_prot are in the same cache line. + */ +- if (sk->sk_state == TCP_ESTABLISHED) +- sock_rps_record_flow_hash(sk->sk_rxhash); ++ if (sk->sk_state == TCP_ESTABLISHED) { ++ /* This READ_ONCE() is paired with the WRITE_ONCE() ++ * from sock_rps_save_rxhash() and sock_rps_reset_rxhash(). ++ */ ++ sock_rps_record_flow_hash(READ_ONCE(sk->sk_rxhash)); ++ } + } + #endif + } +@@ -1007,15 +1011,19 @@ static inline void sock_rps_save_rxhash(struct sock *sk, + const struct sk_buff *skb) + { + #ifdef CONFIG_RPS +- if (unlikely(sk->sk_rxhash != skb->hash)) +- sk->sk_rxhash = skb->hash; ++ /* The following WRITE_ONCE() is paired with the READ_ONCE() ++ * here, and another one in sock_rps_record_flow(). ++ */ ++ if (unlikely(READ_ONCE(sk->sk_rxhash) != skb->hash)) ++ WRITE_ONCE(sk->sk_rxhash, skb->hash); + #endif + } + + static inline void sock_rps_reset_rxhash(struct sock *sk) + { + #ifdef CONFIG_RPS +- sk->sk_rxhash = 0; ++ /* Paired with READ_ONCE() in sock_rps_record_flow() */ ++ WRITE_ONCE(sk->sk_rxhash, 0); + #endif + } + +-- +2.39.2 + diff --git a/queue-5.4/series b/queue-5.4/series index 5eb5b3047ec..5849e91d7dc 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -2,3 +2,17 @@ blk-iocost-avoid-64-bit-division-in-ioc_timer_fn.patch block-blk-iocost-gcc13-keep-large-values-in-a-new-enum.patch i40iw-fix-build-warning-in-i40iw_manage_apbvt.patch i40e-fix-build-warnings-in-i40e_alloc.h.patch +spi-qup-request-dma-before-enabling-clocks.patch +neighbour-replace-zero-length-array-with-flexible-ar.patch +neighbour-fix-unaligned-access-to-pneigh_entry.patch +net-dsa-lan9303-allow-vid-0-in-port_fdb_-add-del-met.patch +bluetooth-fix-l2cap_disconnect_req-deadlock.patch +bluetooth-l2cap-add-missing-checks-for-invalid-dcid.patch +netfilter-conntrack-fix-null-pointer-dereference-in-.patch +netfilter-ipset-add-schedule-point-in-call_ad.patch +rfs-annotate-lockless-accesses-to-sk-sk_rxhash.patch +rfs-annotate-lockless-accesses-to-rfs-sock-flow-tabl.patch +net-sched-move-rtm_tca_policy-declaration-to-include.patch +net-sched-fix-possible-refcount-leak-in-tc_chain_tmp.patch +lib-cpu_rmap-fix-potential-use-after-free-in-irq_cpu.patch +bnxt_en-query-default-vlan-before-vnic-setup-on-a-vf.patch diff --git a/queue-5.4/spi-qup-request-dma-before-enabling-clocks.patch b/queue-5.4/spi-qup-request-dma-before-enabling-clocks.patch new file mode 100644 index 00000000000..b2a48377cd2 --- /dev/null +++ b/queue-5.4/spi-qup-request-dma-before-enabling-clocks.patch @@ -0,0 +1,122 @@ +From 6da709ce00ed3927ab75f1095807d87b6f61946f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 15:04:25 +0200 +Subject: spi: qup: Request DMA before enabling clocks + +From: Stephan Gerhold + +[ Upstream commit 0c331fd1dccfba657129380ee084b95c1cedfbef ] + +It is usually better to request all necessary resources (clocks, +regulators, ...) before starting to make use of them. That way they do +not change state in case one of the resources is not available yet and +probe deferral (-EPROBE_DEFER) is necessary. This is particularly +important for DMA channels and IOMMUs which are not enforced by +fw_devlink yet (unless you use fw_devlink.strict=1). + +spi-qup does this in the wrong order, the clocks are enabled and +disabled again when the DMA channels are not available yet. + +This causes issues in some cases: On most SoCs one of the SPI QUP +clocks is shared with the UART controller. When using earlycon UART is +actively used during boot but might not have probed yet, usually for +the same reason (waiting for the DMA controller). In this case, the +brief enable/disable cycle ends up gating the clock and further UART +console output will halt the system completely. + +Avoid this by requesting the DMA channels before changing the clock +state. + +Fixes: 612762e82ae6 ("spi: qup: Add DMA capabilities") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20230518-spi-qup-clk-defer-v1-1-f49fc9ca4e02@gerhold.net +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-qup.c | 37 ++++++++++++++++++------------------- + 1 file changed, 18 insertions(+), 19 deletions(-) + +diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c +index ebcf9f4d5679e..94aa51d91b067 100644 +--- a/drivers/spi/spi-qup.c ++++ b/drivers/spi/spi-qup.c +@@ -1030,23 +1030,8 @@ static int spi_qup_probe(struct platform_device *pdev) + return -ENXIO; + } + +- ret = clk_prepare_enable(cclk); +- if (ret) { +- dev_err(dev, "cannot enable core clock\n"); +- return ret; +- } +- +- ret = clk_prepare_enable(iclk); +- if (ret) { +- clk_disable_unprepare(cclk); +- dev_err(dev, "cannot enable iface clock\n"); +- return ret; +- } +- + master = spi_alloc_master(dev, sizeof(struct spi_qup)); + if (!master) { +- clk_disable_unprepare(cclk); +- clk_disable_unprepare(iclk); + dev_err(dev, "cannot allocate master\n"); + return -ENOMEM; + } +@@ -1092,6 +1077,19 @@ static int spi_qup_probe(struct platform_device *pdev) + spin_lock_init(&controller->lock); + init_completion(&controller->done); + ++ ret = clk_prepare_enable(cclk); ++ if (ret) { ++ dev_err(dev, "cannot enable core clock\n"); ++ goto error_dma; ++ } ++ ++ ret = clk_prepare_enable(iclk); ++ if (ret) { ++ clk_disable_unprepare(cclk); ++ dev_err(dev, "cannot enable iface clock\n"); ++ goto error_dma; ++ } ++ + iomode = readl_relaxed(base + QUP_IO_M_MODES); + + size = QUP_IO_M_OUTPUT_BLOCK_SIZE(iomode); +@@ -1121,7 +1119,7 @@ static int spi_qup_probe(struct platform_device *pdev) + ret = spi_qup_set_state(controller, QUP_STATE_RESET); + if (ret) { + dev_err(dev, "cannot set RESET state\n"); +- goto error_dma; ++ goto error_clk; + } + + writel_relaxed(0, base + QUP_OPERATIONAL); +@@ -1145,7 +1143,7 @@ static int spi_qup_probe(struct platform_device *pdev) + ret = devm_request_irq(dev, irq, spi_qup_qup_irq, + IRQF_TRIGGER_HIGH, pdev->name, controller); + if (ret) +- goto error_dma; ++ goto error_clk; + + pm_runtime_set_autosuspend_delay(dev, MSEC_PER_SEC); + pm_runtime_use_autosuspend(dev); +@@ -1160,11 +1158,12 @@ static int spi_qup_probe(struct platform_device *pdev) + + disable_pm: + pm_runtime_disable(&pdev->dev); ++error_clk: ++ clk_disable_unprepare(cclk); ++ clk_disable_unprepare(iclk); + error_dma: + spi_qup_release_dma(master); + error: +- clk_disable_unprepare(cclk); +- clk_disable_unprepare(iclk); + spi_master_put(master); + return ret; + } +-- +2.39.2 +