From: Sasha Levin Date: Sun, 28 Aug 2022 14:31:03 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.10.140~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7bf5e054e45282e0952bfdcba086a2d7c184e090;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/af_key-do-not-call-xfrm_probe_algs-in-parallel.patch b/queue-5.4/af_key-do-not-call-xfrm_probe_algs-in-parallel.patch new file mode 100644 index 00000000000..a0788397b7c --- /dev/null +++ b/queue-5.4/af_key-do-not-call-xfrm_probe_algs-in-parallel.patch @@ -0,0 +1,42 @@ +From 9340b0ff6aaebdbf48ab080cb40ee549a741223e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 18:03:46 +0800 +Subject: af_key: Do not call xfrm_probe_algs in parallel + +From: Herbert Xu + +[ Upstream commit ba953a9d89a00c078b85f4b190bc1dde66fe16b5 ] + +When namespace support was added to xfrm/afkey, it caused the +previously single-threaded call to xfrm_probe_algs to become +multi-threaded. This is buggy and needs to be fixed with a mutex. + +Reported-by: Abhishek Shah +Fixes: 283bc9f35bbb ("xfrm: Namespacify xfrm state/policy locks") +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 32fe99cd01fc8..c06cc48c68c90 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1701,9 +1701,12 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad + pfk->registered |= (1<sadb_msg_satype); + } + ++ mutex_lock(&pfkey_mutex); + xfrm_probe_algs(); + + supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); ++ mutex_unlock(&pfkey_mutex); ++ + if (!supp_skb) { + if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) + pfk->registered &= ~(1<sadb_msg_satype); +-- +2.35.1 + diff --git a/queue-5.4/bnxt_en-fix-nq-resource-accounting-during-vf-creatio.patch b/queue-5.4/bnxt_en-fix-nq-resource-accounting-during-vf-creatio.patch new file mode 100644 index 00000000000..43058565169 --- /dev/null +++ b/queue-5.4/bnxt_en-fix-nq-resource-accounting-during-vf-creatio.patch @@ -0,0 +1,44 @@ +From 25fe4cefac87ad9a5123d8adc019e1c8e21a906b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 11:06:53 -0400 +Subject: bnxt_en: fix NQ resource accounting during vf creation on 57500 chips + +From: Vikas Gupta + +[ Upstream commit 09a89cc59ad67794a11e1d3dd13c5b3172adcc51 ] + +There are 2 issues: + +1. We should decrement hw_resc->max_nqs instead of hw_resc->max_irqs + with the number of NQs assigned to the VFs. The IRQs are fixed + on each function and cannot be re-assigned. Only the NQs are being + assigned to the VFs. + +2. vf_msix is the total number of NQs to be assigned to the VFs. So + we should decrement vf_msix from hw_resc->max_nqs. + +Fixes: b16b68918674 ("bnxt_en: Add SR-IOV support for 57500 chips.") +Signed-off-by: Vikas Gupta +Signed-off-by: Michael Chan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +index 452be9749827a..3434ad6824a05 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +@@ -597,7 +597,7 @@ static int bnxt_hwrm_func_vf_resc_cfg(struct bnxt *bp, int num_vfs, bool reset) + hw_resc->max_stat_ctxs -= le16_to_cpu(req.min_stat_ctx) * n; + hw_resc->max_vnics -= le16_to_cpu(req.min_vnics) * n; + if (bp->flags & BNXT_FLAG_CHIP_P5) +- hw_resc->max_irqs -= vf_msix * n; ++ hw_resc->max_nqs -= vf_msix; + + rc = pf->active_vfs; + } +-- +2.35.1 + diff --git a/queue-5.4/bonding-802.3ad-fix-no-transmission-of-lacpdus.patch b/queue-5.4/bonding-802.3ad-fix-no-transmission-of-lacpdus.patch new file mode 100644 index 00000000000..240e09ef6a9 --- /dev/null +++ b/queue-5.4/bonding-802.3ad-fix-no-transmission-of-lacpdus.patch @@ -0,0 +1,137 @@ +From 4aefc05c4b99e1813d0810021b8b3215807a8dc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 11:15:13 -0400 +Subject: bonding: 802.3ad: fix no transmission of LACPDUs + +From: Jonathan Toppins + +[ Upstream commit d745b5062ad2b5da90a5e728d7ca884fc07315fd ] + +This is caused by the global variable ad_ticks_per_sec being zero as +demonstrated by the reproducer script discussed below. This causes +all timer values in __ad_timer_to_ticks to be zero, resulting +in the periodic timer to never fire. + +To reproduce: +Run the script in +`tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh` which +puts bonding into a state where it never transmits LACPDUs. + +line 44: ip link add fbond type bond mode 4 miimon 200 \ + xmit_hash_policy 1 ad_actor_sys_prio 65535 lacp_rate fast +setting bond param: ad_actor_sys_prio +given: + params.ad_actor_system = 0 +call stack: + bond_option_ad_actor_sys_prio() + -> bond_3ad_update_ad_actor_settings() + -> set ad.system.sys_priority = bond->params.ad_actor_sys_prio + -> ad.system.sys_mac_addr = bond->dev->dev_addr; because + params.ad_actor_system == 0 +results: + ad.system.sys_mac_addr = bond->dev->dev_addr + +line 48: ip link set fbond address 52:54:00:3B:7C:A6 +setting bond MAC addr +call stack: + bond->dev->dev_addr = new_mac + +line 52: ip link set fbond type bond ad_actor_sys_prio 65535 +setting bond param: ad_actor_sys_prio +given: + params.ad_actor_system = 0 +call stack: + bond_option_ad_actor_sys_prio() + -> bond_3ad_update_ad_actor_settings() + -> set ad.system.sys_priority = bond->params.ad_actor_sys_prio + -> ad.system.sys_mac_addr = bond->dev->dev_addr; because + params.ad_actor_system == 0 +results: + ad.system.sys_mac_addr = bond->dev->dev_addr + +line 60: ip link set veth1-bond down master fbond +given: + params.ad_actor_system = 0 + params.mode = BOND_MODE_8023AD + ad.system.sys_mac_addr == bond->dev->dev_addr +call stack: + bond_enslave + -> bond_3ad_initialize(); because first slave + -> if ad.system.sys_mac_addr != bond->dev->dev_addr + return +results: + Nothing is run in bond_3ad_initialize() because dev_addr equals + sys_mac_addr leaving the global ad_ticks_per_sec zero as it is + never initialized anywhere else. + +The if check around the contents of bond_3ad_initialize() is no longer +needed due to commit 5ee14e6d336f ("bonding: 3ad: apply ad_actor settings +changes immediately") which sets ad.system.sys_mac_addr if any one of +the bonding parameters whos set function calls +bond_3ad_update_ad_actor_settings(). This is because if +ad.system.sys_mac_addr is zero it will be set to the current bond mac +address, this causes the if check to never be true. + +Fixes: 5ee14e6d336f ("bonding: 3ad: apply ad_actor settings changes immediately") +Signed-off-by: Jonathan Toppins +Acked-by: Jay Vosburgh +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_3ad.c | 38 ++++++++++++++-------------------- + 1 file changed, 16 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c +index 31ed7616e84e7..0d6cd2a4cc416 100644 +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -1997,30 +1997,24 @@ void bond_3ad_initiate_agg_selection(struct bonding *bond, int timeout) + */ + void bond_3ad_initialize(struct bonding *bond, u16 tick_resolution) + { +- /* check that the bond is not initialized yet */ +- if (!MAC_ADDRESS_EQUAL(&(BOND_AD_INFO(bond).system.sys_mac_addr), +- bond->dev->dev_addr)) { +- +- BOND_AD_INFO(bond).aggregator_identifier = 0; +- +- BOND_AD_INFO(bond).system.sys_priority = +- bond->params.ad_actor_sys_prio; +- if (is_zero_ether_addr(bond->params.ad_actor_system)) +- BOND_AD_INFO(bond).system.sys_mac_addr = +- *((struct mac_addr *)bond->dev->dev_addr); +- else +- BOND_AD_INFO(bond).system.sys_mac_addr = +- *((struct mac_addr *)bond->params.ad_actor_system); ++ BOND_AD_INFO(bond).aggregator_identifier = 0; ++ BOND_AD_INFO(bond).system.sys_priority = ++ bond->params.ad_actor_sys_prio; ++ if (is_zero_ether_addr(bond->params.ad_actor_system)) ++ BOND_AD_INFO(bond).system.sys_mac_addr = ++ *((struct mac_addr *)bond->dev->dev_addr); ++ else ++ BOND_AD_INFO(bond).system.sys_mac_addr = ++ *((struct mac_addr *)bond->params.ad_actor_system); + +- /* initialize how many times this module is called in one +- * second (should be about every 100ms) +- */ +- ad_ticks_per_sec = tick_resolution; ++ /* initialize how many times this module is called in one ++ * second (should be about every 100ms) ++ */ ++ ad_ticks_per_sec = tick_resolution; + +- bond_3ad_initiate_agg_selection(bond, +- AD_AGGREGATOR_SELECTION_TIMER * +- ad_ticks_per_sec); +- } ++ bond_3ad_initiate_agg_selection(bond, ++ AD_AGGREGATOR_SELECTION_TIMER * ++ ad_ticks_per_sec); + } + + /** +-- +2.35.1 + diff --git a/queue-5.4/ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch b/queue-5.4/ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch new file mode 100644 index 00000000000..d7ef31c107b --- /dev/null +++ b/queue-5.4/ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch @@ -0,0 +1,137 @@ +From 6104fb3c7bc6a5f4461252d25ef30480c35fa956 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 17:24:19 -0700 +Subject: ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter + +From: Jacob Keller + +[ Upstream commit 25d7a5f5a6bb15a2dae0a3f39ea5dda215024726 ] + +The ixgbe_ptp_start_cyclecounter is intended to be called whenever the +cyclecounter parameters need to be changed. + +Since commit a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x +devices"), this function has cleared the SYSTIME registers and reset the +TSAUXC DISABLE_SYSTIME bit. + +While these need to be cleared during ixgbe_ptp_reset, it is wrong to clear +them during ixgbe_ptp_start_cyclecounter. This function may be called +during both reset and link status change. When link changes, the SYSTIME +counter is still operating normally, but the cyclecounter should be updated +to account for the possibly changed parameters. + +Clearing SYSTIME when link changes causes the timecounter to jump because +the cycle counter now reads zero. + +Extract the SYSTIME initialization out to a new function and call this +during ixgbe_ptp_reset. This prevents the timecounter adjustment and avoids +an unnecessary reset of the current time. + +This also restores the original SYSTIME clearing that occurred during +ixgbe_ptp_reset before the commit above. + +Reported-by: Steve Payne +Reported-by: Ilya Evenbach +Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices") +Signed-off-by: Jacob Keller +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 59 +++++++++++++++----- + 1 file changed, 46 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +index 0be13a90ff792..d155181b939e4 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +@@ -1211,7 +1211,6 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter) + struct cyclecounter cc; + unsigned long flags; + u32 incval = 0; +- u32 tsauxc = 0; + u32 fuse0 = 0; + + /* For some of the boards below this mask is technically incorrect. +@@ -1246,18 +1245,6 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter) + case ixgbe_mac_x550em_a: + case ixgbe_mac_X550: + cc.read = ixgbe_ptp_read_X550; +- +- /* enable SYSTIME counter */ +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIMR, 0); +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); +- tsauxc = IXGBE_READ_REG(hw, IXGBE_TSAUXC); +- IXGBE_WRITE_REG(hw, IXGBE_TSAUXC, +- tsauxc & ~IXGBE_TSAUXC_DISABLE_SYSTIME); +- IXGBE_WRITE_REG(hw, IXGBE_TSIM, IXGBE_TSIM_TXTS); +- IXGBE_WRITE_REG(hw, IXGBE_EIMS, IXGBE_EIMS_TIMESYNC); +- +- IXGBE_WRITE_FLUSH(hw); + break; + case ixgbe_mac_X540: + cc.read = ixgbe_ptp_read_82599; +@@ -1289,6 +1276,50 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter) + spin_unlock_irqrestore(&adapter->tmreg_lock, flags); + } + ++/** ++ * ixgbe_ptp_init_systime - Initialize SYSTIME registers ++ * @adapter: the ixgbe private board structure ++ * ++ * Initialize and start the SYSTIME registers. ++ */ ++static void ixgbe_ptp_init_systime(struct ixgbe_adapter *adapter) ++{ ++ struct ixgbe_hw *hw = &adapter->hw; ++ u32 tsauxc; ++ ++ switch (hw->mac.type) { ++ case ixgbe_mac_X550EM_x: ++ case ixgbe_mac_x550em_a: ++ case ixgbe_mac_X550: ++ tsauxc = IXGBE_READ_REG(hw, IXGBE_TSAUXC); ++ ++ /* Reset SYSTIME registers to 0 */ ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMR, 0); ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); ++ ++ /* Reset interrupt settings */ ++ IXGBE_WRITE_REG(hw, IXGBE_TSIM, IXGBE_TSIM_TXTS); ++ IXGBE_WRITE_REG(hw, IXGBE_EIMS, IXGBE_EIMS_TIMESYNC); ++ ++ /* Activate the SYSTIME counter */ ++ IXGBE_WRITE_REG(hw, IXGBE_TSAUXC, ++ tsauxc & ~IXGBE_TSAUXC_DISABLE_SYSTIME); ++ break; ++ case ixgbe_mac_X540: ++ case ixgbe_mac_82599EB: ++ /* Reset SYSTIME registers to 0 */ ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); ++ break; ++ default: ++ /* Other devices aren't supported */ ++ return; ++ }; ++ ++ IXGBE_WRITE_FLUSH(hw); ++} ++ + /** + * ixgbe_ptp_reset + * @adapter: the ixgbe private board structure +@@ -1315,6 +1346,8 @@ void ixgbe_ptp_reset(struct ixgbe_adapter *adapter) + + ixgbe_ptp_start_cyclecounter(adapter); + ++ ixgbe_ptp_init_systime(adapter); ++ + spin_lock_irqsave(&adapter->tmreg_lock, flags); + timecounter_init(&adapter->hw_tc, &adapter->hw_cc, + ktime_to_ns(ktime_get_real())); +-- +2.35.1 + diff --git a/queue-5.4/net-fix-a-data-race-around-netdev_budget.patch b/queue-5.4/net-fix-a-data-race-around-netdev_budget.patch new file mode 100644 index 00000000000..4837b258288 --- /dev/null +++ b/queue-5.4/net-fix-a-data-race-around-netdev_budget.patch @@ -0,0 +1,36 @@ +From c319552831a759de6f575a12d96edac3d1355693 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:53 -0700 +Subject: net: Fix a data-race around netdev_budget. + +From: Kuniyuki Iwashima + +[ Upstream commit 2e0c42374ee32e72948559d2ae2f7ba3dc6b977c ] + +While reading netdev_budget, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 51b0bdedb8e7 ("[NET]: Separate two usages of netdev_max_backlog.") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 99b0025864984..7c19e672dde84 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -6394,7 +6394,7 @@ static __latent_entropy void net_rx_action(struct softirq_action *h) + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + unsigned long time_limit = jiffies + + usecs_to_jiffies(netdev_budget_usecs); +- int budget = netdev_budget; ++ int budget = READ_ONCE(netdev_budget); + LIST_HEAD(list); + LIST_HEAD(repoll); + +-- +2.35.1 + diff --git a/queue-5.4/net-fix-a-data-race-around-netdev_budget_usecs.patch b/queue-5.4/net-fix-a-data-race-around-netdev_budget_usecs.patch new file mode 100644 index 00000000000..c5ec0b1a7ba --- /dev/null +++ b/queue-5.4/net-fix-a-data-race-around-netdev_budget_usecs.patch @@ -0,0 +1,36 @@ +From f2345790be2a2293854b48dd49f76a268e0fb3f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:55 -0700 +Subject: net: Fix a data-race around netdev_budget_usecs. + +From: Kuniyuki Iwashima + +[ Upstream commit fa45d484c52c73f79db2c23b0cdfc6c6455093ad ] + +While reading netdev_budget_usecs, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 7acf8a1e8a28 ("Replace 2 jiffies with sysctl netdev_budget_usecs to enable softirq tuning") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 7c19e672dde84..25b4fe06fbb4e 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -6393,7 +6393,7 @@ static __latent_entropy void net_rx_action(struct softirq_action *h) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + unsigned long time_limit = jiffies + +- usecs_to_jiffies(netdev_budget_usecs); ++ usecs_to_jiffies(READ_ONCE(netdev_budget_usecs)); + int budget = READ_ONCE(netdev_budget); + LIST_HEAD(list); + LIST_HEAD(repoll); +-- +2.35.1 + diff --git a/queue-5.4/net-fix-a-data-race-around-sysctl_net_busy_poll.patch b/queue-5.4/net-fix-a-data-race-around-sysctl_net_busy_poll.patch new file mode 100644 index 00000000000..a5117531e27 --- /dev/null +++ b/queue-5.4/net-fix-a-data-race-around-sysctl_net_busy_poll.patch @@ -0,0 +1,36 @@ +From b6c8e9808586bd81478d1790f76a7eed569d3806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:51 -0700 +Subject: net: Fix a data-race around sysctl_net_busy_poll. + +From: Kuniyuki Iwashima + +[ Upstream commit c42b7cddea47503411bfb5f2f93a4154aaffa2d9 ] + +While reading sysctl_net_busy_poll, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 060212928670 ("net: add low latency socket poll") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/busy_poll.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/busy_poll.h b/include/net/busy_poll.h +index 9899b9af7f22f..16258c0c7319e 100644 +--- a/include/net/busy_poll.h ++++ b/include/net/busy_poll.h +@@ -31,7 +31,7 @@ extern unsigned int sysctl_net_busy_poll __read_mostly; + + static inline bool net_busy_loop_on(void) + { +- return sysctl_net_busy_poll; ++ return READ_ONCE(sysctl_net_busy_poll); + } + + static inline bool sk_can_busy_loop(const struct sock *sk) +-- +2.35.1 + diff --git a/queue-5.4/net-fix-a-data-race-around-sysctl_net_busy_read.patch b/queue-5.4/net-fix-a-data-race-around-sysctl_net_busy_read.patch new file mode 100644 index 00000000000..36a78029707 --- /dev/null +++ b/queue-5.4/net-fix-a-data-race-around-sysctl_net_busy_read.patch @@ -0,0 +1,36 @@ +From 31db0eba9eb8b03b798a89765821e411f345fce1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:52 -0700 +Subject: net: Fix a data-race around sysctl_net_busy_read. + +From: Kuniyuki Iwashima + +[ Upstream commit e59ef36f0795696ab229569c153936bfd068d21c ] + +While reading sysctl_net_busy_read, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 2d48d67fa8cd ("net: poll/select low latency socket support") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index c84f68bff7f58..a2b12a5cf42bc 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2946,7 +2946,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) + + #ifdef CONFIG_NET_RX_BUSY_POLL + sk->sk_napi_id = 0; +- sk->sk_ll_usec = sysctl_net_busy_read; ++ sk->sk_ll_usec = READ_ONCE(sysctl_net_busy_read); + #endif + + sk->sk_max_pacing_rate = ~0UL; +-- +2.35.1 + diff --git a/queue-5.4/net-fix-a-data-race-around-sysctl_somaxconn.patch b/queue-5.4/net-fix-a-data-race-around-sysctl_somaxconn.patch new file mode 100644 index 00000000000..5f2a9a49900 --- /dev/null +++ b/queue-5.4/net-fix-a-data-race-around-sysctl_somaxconn.patch @@ -0,0 +1,36 @@ +From deb09b60aee81d838316ec7ae264a837b9d03ff8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:47:00 -0700 +Subject: net: Fix a data-race around sysctl_somaxconn. + +From: Kuniyuki Iwashima + +[ Upstream commit 3c9ba81d72047f2e81bb535d42856517b613aba7 ] + +While reading sysctl_somaxconn, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/socket.c b/net/socket.c +index 94358566c9d10..02feaf5bd84a3 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1661,7 +1661,7 @@ int __sys_listen(int fd, int backlog) + + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (sock) { +- somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn; ++ somaxconn = READ_ONCE(sock_net(sock->sk)->core.sysctl_somaxconn); + if ((unsigned int)backlog > somaxconn) + backlog = somaxconn; + +-- +2.35.1 + diff --git a/queue-5.4/net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch b/queue-5.4/net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch new file mode 100644 index 00000000000..e1c862cf1e5 --- /dev/null +++ b/queue-5.4/net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch @@ -0,0 +1,36 @@ +From 0374fdeba394c0c3afcf0a0a87a2fcef806a2b49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:50 -0700 +Subject: net: Fix a data-race around sysctl_tstamp_allow_data. + +From: Kuniyuki Iwashima + +[ Upstream commit d2154b0afa73c0159b2856f875c6b4fe7cf6a95e ] + +While reading sysctl_tstamp_allow_data, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its reader. + +Fixes: b245be1f4db1 ("net-timestamp: no-payload only sysctl") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 5bdb3cd20d619..c9fe2c0b8cae3 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4564,7 +4564,7 @@ static bool skb_may_tx_timestamp(struct sock *sk, bool tsonly) + { + bool ret; + +- if (likely(sysctl_tstamp_allow_data || tsonly)) ++ if (likely(READ_ONCE(sysctl_tstamp_allow_data) || tsonly)) + return true; + + read_lock_bh(&sk->sk_callback_lock); +-- +2.35.1 + diff --git a/queue-5.4/net-fix-data-races-around-netdev_tstamp_prequeue.patch b/queue-5.4/net-fix-data-races-around-netdev_tstamp_prequeue.patch new file mode 100644 index 00000000000..e3c1d6062ee --- /dev/null +++ b/queue-5.4/net-fix-data-races-around-netdev_tstamp_prequeue.patch @@ -0,0 +1,63 @@ +From 0d49310791fe95e81e66179813efe7fd2a8f9218 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:47 -0700 +Subject: net: Fix data-races around netdev_tstamp_prequeue. + +From: Kuniyuki Iwashima + +[ Upstream commit 61adf447e38664447526698872e21c04623afb8e ] + +While reading netdev_tstamp_prequeue, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 3b098e2d7c69 ("net: Consistent skb timestamping") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 517fb03a0bb89..99b0025864984 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4411,7 +4411,7 @@ static int netif_rx_internal(struct sk_buff *skb) + { + int ret; + +- net_timestamp_check(netdev_tstamp_prequeue, skb); ++ net_timestamp_check(READ_ONCE(netdev_tstamp_prequeue), skb); + + trace_netif_rx(skb); + +@@ -4753,7 +4753,7 @@ static int __netif_receive_skb_core(struct sk_buff **pskb, bool pfmemalloc, + int ret = NET_RX_DROP; + __be16 type; + +- net_timestamp_check(!netdev_tstamp_prequeue, skb); ++ net_timestamp_check(!READ_ONCE(netdev_tstamp_prequeue), skb); + + trace_netif_receive_skb(skb); + +@@ -5135,7 +5135,7 @@ static int netif_receive_skb_internal(struct sk_buff *skb) + { + int ret; + +- net_timestamp_check(netdev_tstamp_prequeue, skb); ++ net_timestamp_check(READ_ONCE(netdev_tstamp_prequeue), skb); + + if (skb_defer_rx_timestamp(skb)) + return NET_RX_SUCCESS; +@@ -5165,7 +5165,7 @@ static void netif_receive_skb_list_internal(struct list_head *head) + + INIT_LIST_HEAD(&sublist); + list_for_each_entry_safe(skb, next, head, list) { +- net_timestamp_check(netdev_tstamp_prequeue, skb); ++ net_timestamp_check(READ_ONCE(netdev_tstamp_prequeue), skb); + skb_list_del_init(skb); + if (!skb_defer_rx_timestamp(skb)) + list_add_tail(&skb->list, &sublist); +-- +2.35.1 + diff --git a/queue-5.4/net-fix-data-races-around-weight_p-and-dev_weight_-r.patch b/queue-5.4/net-fix-data-races-around-weight_p-and-dev_weight_-r.patch new file mode 100644 index 00000000000..e5700919a9f --- /dev/null +++ b/queue-5.4/net-fix-data-races-around-weight_p-and-dev_weight_-r.patch @@ -0,0 +1,85 @@ +From 0f45f67ce8e422531ef748408b71c86aab5a7284 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:45 -0700 +Subject: net: Fix data-races around weight_p and dev_weight_[rt]x_bias. + +From: Kuniyuki Iwashima + +[ Upstream commit bf955b5ab8f6f7b0632cdef8e36b14e4f6e77829 ] + +While reading weight_p, it can be changed concurrently. Thus, we need +to add READ_ONCE() to its reader. + +Also, dev_[rt]x_weight can be read/written at the same time. So, we +need to use READ_ONCE() and WRITE_ONCE() for its access. Moreover, to +use the same weight_p while changing dev_[rt]x_weight, we add a mutex +in proc_do_dev_weight(). + +Fixes: 3d48b53fb2ae ("net: dev_weight: TX/RX orthogonality") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + net/core/sysctl_net_core.c | 15 +++++++++------ + net/sched/sch_generic.c | 2 +- + 3 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index a03036456221b..517fb03a0bb89 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -5892,7 +5892,7 @@ static int process_backlog(struct napi_struct *napi, int quota) + net_rps_action_and_irq_enable(sd); + } + +- napi->weight = dev_rx_weight; ++ napi->weight = READ_ONCE(dev_rx_weight); + while (again) { + struct sk_buff *skb; + +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c +index 48041f50ecfb4..586598887095d 100644 +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -238,14 +238,17 @@ static int set_default_qdisc(struct ctl_table *table, int write, + static int proc_do_dev_weight(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +- int ret; ++ static DEFINE_MUTEX(dev_weight_mutex); ++ int ret, weight; + ++ mutex_lock(&dev_weight_mutex); + ret = proc_dointvec(table, write, buffer, lenp, ppos); +- if (ret != 0) +- return ret; +- +- dev_rx_weight = weight_p * dev_weight_rx_bias; +- dev_tx_weight = weight_p * dev_weight_tx_bias; ++ if (!ret && write) { ++ weight = READ_ONCE(weight_p); ++ WRITE_ONCE(dev_rx_weight, weight * dev_weight_rx_bias); ++ WRITE_ONCE(dev_tx_weight, weight * dev_weight_tx_bias); ++ } ++ mutex_unlock(&dev_weight_mutex); + + return ret; + } +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index ae5847de94c88..81fcf6c5bde96 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -403,7 +403,7 @@ static inline bool qdisc_restart(struct Qdisc *q, int *packets) + + void __qdisc_run(struct Qdisc *q) + { +- int quota = dev_tx_weight; ++ int quota = READ_ONCE(dev_tx_weight); + int packets; + + while (qdisc_restart(q, &packets)) { +-- +2.35.1 + diff --git a/queue-5.4/net-ipvtap-add-__init-__exit-annotations-to-module-i.patch b/queue-5.4/net-ipvtap-add-__init-__exit-annotations-to-module-i.patch new file mode 100644 index 00000000000..82721fc6878 --- /dev/null +++ b/queue-5.4/net-ipvtap-add-__init-__exit-annotations-to-module-i.patch @@ -0,0 +1,50 @@ +From 57f3f72ecbe9a7da3f5051e931633d4e0b804cae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 06:08:08 -0700 +Subject: net: ipvtap - add __init/__exit annotations to module init/exit funcs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Å»enczykowski + +[ Upstream commit 4b2e3a17e9f279325712b79fb01d1493f9e3e005 ] + +Looks to have been left out in an oversight. + +Cc: Mahesh Bandewar +Cc: Sainath Grandhi +Fixes: 235a9d89da97 ('ipvtap: IP-VLAN based tap driver') +Signed-off-by: Maciej Å»enczykowski +Link: https://lore.kernel.org/r/20220821130808.12143-1-zenczykowski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvtap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvtap.c b/drivers/net/ipvlan/ipvtap.c +index 1cedb634f4f7b..f01078b2581ce 100644 +--- a/drivers/net/ipvlan/ipvtap.c ++++ b/drivers/net/ipvlan/ipvtap.c +@@ -194,7 +194,7 @@ static struct notifier_block ipvtap_notifier_block __read_mostly = { + .notifier_call = ipvtap_device_event, + }; + +-static int ipvtap_init(void) ++static int __init ipvtap_init(void) + { + int err; + +@@ -228,7 +228,7 @@ static int ipvtap_init(void) + } + module_init(ipvtap_init); + +-static void ipvtap_exit(void) ++static void __exit ipvtap_exit(void) + { + rtnl_link_unregister(&ipvtap_link_ops); + unregister_netdevice_notifier(&ipvtap_notifier_block); +-- +2.35.1 + diff --git a/queue-5.4/net-mlx5e-properly-disable-vlan-strip-on-non-ul-reps.patch b/queue-5.4/net-mlx5e-properly-disable-vlan-strip-on-non-ul-reps.patch new file mode 100644 index 00000000000..48444b0f983 --- /dev/null +++ b/queue-5.4/net-mlx5e-properly-disable-vlan-strip-on-non-ul-reps.patch @@ -0,0 +1,40 @@ +From d0f0e5f2d0337977fea5e0de72ec6f7b2a544c98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 21:41:48 +0200 +Subject: net/mlx5e: Properly disable vlan strip on non-UL reps + +From: Vlad Buslov + +[ Upstream commit f37044fd759b6bc40b6398a978e0b1acdf717372 ] + +When querying mlx5 non-uplink representors capabilities with ethtool +rx-vlan-offload is marked as "off [fixed]". However, it is actually always +enabled because mlx5e_params->vlan_strip_disable is 0 by default when +initializing struct mlx5e_params instance. Fix the issue by explicitly +setting the vlan_strip_disable to 'true' for non-uplink representors. + +Fixes: cb67b832921c ("net/mlx5e: Introduce SRIOV VF representors") +Signed-off-by: Vlad Buslov +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 88b51f64a64ea..f448a139e222e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1434,6 +1434,8 @@ static void mlx5e_build_rep_params(struct net_device *netdev) + + params->num_tc = 1; + params->tunneled_offload_en = false; ++ if (rep->vport != MLX5_VPORT_UPLINK) ++ params->vlan_strip_disable = true; + + mlx5_query_min_inline(mdev, ¶ms->tx_min_inline_mode); + +-- +2.35.1 + diff --git a/queue-5.4/net-moxa-get-rid-of-asymmetry-in-dma-mapping-unmappi.patch b/queue-5.4/net-moxa-get-rid-of-asymmetry-in-dma-mapping-unmappi.patch new file mode 100644 index 00000000000..65c56e9596b --- /dev/null +++ b/queue-5.4/net-moxa-get-rid-of-asymmetry-in-dma-mapping-unmappi.patch @@ -0,0 +1,104 @@ +From 52f030ad94af1858445031379c1d267445baa442 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 14:05:19 +0300 +Subject: net: moxa: get rid of asymmetry in DMA mapping/unmapping + +From: Sergei Antonov + +[ Upstream commit 0ee7828dfc56e97d71e51e6374dc7b4eb2b6e081 ] + +Since priv->rx_mapping[i] is maped in moxart_mac_open(), we +should unmap it from moxart_mac_stop(). Fixes 2 warnings. + +1. During error unwinding in moxart_mac_probe(): "goto init_fail;", +then moxart_mac_free_memory() calls dma_unmap_single() with +priv->rx_mapping[i] pointers zeroed. + +WARNING: CPU: 0 PID: 1 at kernel/dma/debug.c:963 check_unmap+0x704/0x980 +DMA-API: moxart-ethernet 92000000.mac: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=1600 bytes] +CPU: 0 PID: 1 Comm: swapper Not tainted 5.19.0+ #60 +Hardware name: Generic DT based system + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x34/0x44 + dump_stack_lvl from __warn+0xbc/0x1f0 + __warn from warn_slowpath_fmt+0x94/0xc8 + warn_slowpath_fmt from check_unmap+0x704/0x980 + check_unmap from debug_dma_unmap_page+0x8c/0x9c + debug_dma_unmap_page from moxart_mac_free_memory+0x3c/0xa8 + moxart_mac_free_memory from moxart_mac_probe+0x190/0x218 + moxart_mac_probe from platform_probe+0x48/0x88 + platform_probe from really_probe+0xc0/0x2e4 + +2. After commands: + ip link set dev eth0 down + ip link set dev eth0 up + +WARNING: CPU: 0 PID: 55 at kernel/dma/debug.c:570 add_dma_entry+0x204/0x2ec +DMA-API: moxart-ethernet 92000000.mac: cacheline tracking EEXIST, overlapping mappings aren't supported +CPU: 0 PID: 55 Comm: ip Not tainted 5.19.0+ #57 +Hardware name: Generic DT based system + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x34/0x44 + dump_stack_lvl from __warn+0xbc/0x1f0 + __warn from warn_slowpath_fmt+0x94/0xc8 + warn_slowpath_fmt from add_dma_entry+0x204/0x2ec + add_dma_entry from dma_map_page_attrs+0x110/0x328 + dma_map_page_attrs from moxart_mac_open+0x134/0x320 + moxart_mac_open from __dev_open+0x11c/0x1ec + __dev_open from __dev_change_flags+0x194/0x22c + __dev_change_flags from dev_change_flags+0x14/0x44 + dev_change_flags from devinet_ioctl+0x6d4/0x93c + devinet_ioctl from inet_ioctl+0x1ac/0x25c + +v1 -> v2: +Extraneous change removed. + +Fixes: 6c821bd9edc9 ("net: Add MOXA ART SoCs ethernet driver") +Signed-off-by: Sergei Antonov +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220819110519.1230877-1-saproj@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/moxa/moxart_ether.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/moxa/moxart_ether.c b/drivers/net/ethernet/moxa/moxart_ether.c +index 383d72415c659..87327086ea8ca 100644 +--- a/drivers/net/ethernet/moxa/moxart_ether.c ++++ b/drivers/net/ethernet/moxa/moxart_ether.c +@@ -74,11 +74,6 @@ static int moxart_set_mac_address(struct net_device *ndev, void *addr) + static void moxart_mac_free_memory(struct net_device *ndev) + { + struct moxart_mac_priv_t *priv = netdev_priv(ndev); +- int i; +- +- for (i = 0; i < RX_DESC_NUM; i++) +- dma_unmap_single(&priv->pdev->dev, priv->rx_mapping[i], +- priv->rx_buf_size, DMA_FROM_DEVICE); + + if (priv->tx_desc_base) + dma_free_coherent(&priv->pdev->dev, +@@ -193,6 +188,7 @@ static int moxart_mac_open(struct net_device *ndev) + static int moxart_mac_stop(struct net_device *ndev) + { + struct moxart_mac_priv_t *priv = netdev_priv(ndev); ++ int i; + + napi_disable(&priv->napi); + +@@ -204,6 +200,11 @@ static int moxart_mac_stop(struct net_device *ndev) + /* disable all functions */ + writel(0, priv->base + REG_MAC_CTRL); + ++ /* unmap areas mapped in moxart_mac_setup_desc_ring() */ ++ for (i = 0; i < RX_DESC_NUM; i++) ++ dma_unmap_single(&priv->pdev->dev, priv->rx_mapping[i], ++ priv->rx_buf_size, DMA_FROM_DEVICE); ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-5.4/netfilter-ebtables-reject-blobs-that-don-t-provide-a.patch b/queue-5.4/netfilter-ebtables-reject-blobs-that-don-t-provide-a.patch new file mode 100644 index 00000000000..faedefe76b7 --- /dev/null +++ b/queue-5.4/netfilter-ebtables-reject-blobs-that-don-t-provide-a.patch @@ -0,0 +1,165 @@ +From d9fb203881a0ef56096f27a7c0c62a521bad9e86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Aug 2022 17:38:37 +0200 +Subject: netfilter: ebtables: reject blobs that don't provide all entry points + +From: Florian Westphal + +[ Upstream commit 7997eff82828304b780dc0a39707e1946d6f1ebf ] + +Harshit Mogalapalli says: + In ebt_do_table() function dereferencing 'private->hook_entry[hook]' + can lead to NULL pointer dereference. [..] Kernel panic: + +general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] +[..] +RIP: 0010:ebt_do_table+0x1dc/0x1ce0 +Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 5c 16 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 6c df 08 48 8d 7d 2c 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 88 +[..] +Call Trace: + nf_hook_slow+0xb1/0x170 + __br_forward+0x289/0x730 + maybe_deliver+0x24b/0x380 + br_flood+0xc6/0x390 + br_dev_xmit+0xa2e/0x12c0 + +For some reason ebtables rejects blobs that provide entry points that are +not supported by the table, but what it should instead reject is the +opposite: blobs that DO NOT provide an entry point supported by the table. + +t->valid_hooks is the bitmask of hooks (input, forward ...) that will see +packets. Providing an entry point that is not support is harmless +(never called/used), but the inverse isn't: it results in a crash +because the ebtables traverser doesn't expect a NULL blob for a location +its receiving packets for. + +Instead of fixing all the individual checks, do what iptables is doing and +reject all blobs that differ from the expected hooks. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Harshit Mogalapalli +Reported-by: syzkaller +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + include/linux/netfilter_bridge/ebtables.h | 4 ---- + net/bridge/netfilter/ebtable_broute.c | 8 -------- + net/bridge/netfilter/ebtable_filter.c | 8 -------- + net/bridge/netfilter/ebtable_nat.c | 8 -------- + net/bridge/netfilter/ebtables.c | 8 +------- + 5 files changed, 1 insertion(+), 35 deletions(-) + +diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h +index db472c9cd8e9d..f0d846df3a424 100644 +--- a/include/linux/netfilter_bridge/ebtables.h ++++ b/include/linux/netfilter_bridge/ebtables.h +@@ -94,10 +94,6 @@ struct ebt_table { + struct ebt_replace_kernel *table; + unsigned int valid_hooks; + rwlock_t lock; +- /* e.g. could be the table explicitly only allows certain +- * matches, targets, ... 0 == let it in */ +- int (*check)(const struct ebt_table_info *info, +- unsigned int valid_hooks); + /* the data used by the kernel */ + struct ebt_table_info *private; + struct module *me; +diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c +index 32bc2821027f3..57f91efce0f73 100644 +--- a/net/bridge/netfilter/ebtable_broute.c ++++ b/net/bridge/netfilter/ebtable_broute.c +@@ -36,18 +36,10 @@ static struct ebt_replace_kernel initial_table = { + .entries = (char *)&initial_chain, + }; + +-static int check(const struct ebt_table_info *info, unsigned int valid_hooks) +-{ +- if (valid_hooks & ~(1 << NF_BR_BROUTING)) +- return -EINVAL; +- return 0; +-} +- + static const struct ebt_table broute_table = { + .name = "broute", + .table = &initial_table, + .valid_hooks = 1 << NF_BR_BROUTING, +- .check = check, + .me = THIS_MODULE, + }; + +diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c +index bcf982e12f16b..7f2e620f4978f 100644 +--- a/net/bridge/netfilter/ebtable_filter.c ++++ b/net/bridge/netfilter/ebtable_filter.c +@@ -43,18 +43,10 @@ static struct ebt_replace_kernel initial_table = { + .entries = (char *)initial_chains, + }; + +-static int check(const struct ebt_table_info *info, unsigned int valid_hooks) +-{ +- if (valid_hooks & ~FILTER_VALID_HOOKS) +- return -EINVAL; +- return 0; +-} +- + static const struct ebt_table frame_filter = { + .name = "filter", + .table = &initial_table, + .valid_hooks = FILTER_VALID_HOOKS, +- .check = check, + .me = THIS_MODULE, + }; + +diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c +index 0d092773f8161..1743a105485c4 100644 +--- a/net/bridge/netfilter/ebtable_nat.c ++++ b/net/bridge/netfilter/ebtable_nat.c +@@ -43,18 +43,10 @@ static struct ebt_replace_kernel initial_table = { + .entries = (char *)initial_chains, + }; + +-static int check(const struct ebt_table_info *info, unsigned int valid_hooks) +-{ +- if (valid_hooks & ~NAT_VALID_HOOKS) +- return -EINVAL; +- return 0; +-} +- + static const struct ebt_table frame_nat = { + .name = "nat", + .table = &initial_table, + .valid_hooks = NAT_VALID_HOOKS, +- .check = check, + .me = THIS_MODULE, + }; + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index d9375c52f50e6..ddb988c339c17 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -999,8 +999,7 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl, + goto free_iterate; + } + +- /* the table doesn't like it */ +- if (t->check && (ret = t->check(newinfo, repl->valid_hooks))) ++ if (repl->valid_hooks != t->valid_hooks) + goto free_unlock; + + if (repl->num_counters && repl->num_counters != t->private->nentries) { +@@ -1193,11 +1192,6 @@ int ebt_register_table(struct net *net, const struct ebt_table *input_table, + if (ret != 0) + goto free_chainstack; + +- if (table->check && table->check(newinfo, table->valid_hooks)) { +- ret = -EINVAL; +- goto free_chainstack; +- } +- + table->private = newinfo; + rwlock_init(&table->lock); + mutex_lock(&ebt_mutex); +-- +2.35.1 + diff --git a/queue-5.4/netfilter-nft_osf-restrict-osf-to-ipv4-ipv6-and-inet.patch b/queue-5.4/netfilter-nft_osf-restrict-osf-to-ipv4-ipv6-and-inet.patch new file mode 100644 index 00000000000..565732ee490 --- /dev/null +++ b/queue-5.4/netfilter-nft_osf-restrict-osf-to-ipv4-ipv6-and-inet.patch @@ -0,0 +1,50 @@ +From 90684502e7af5e3f30894ce8fd7355527fd24280 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 16:25:07 +0200 +Subject: netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families + +From: Pablo Neira Ayuso + +[ Upstream commit 5f3b7aae14a706d0d7da9f9e39def52ff5fc3d39 ] + +As it was originally intended, restrict extension to supported families. + +Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_osf.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c +index 4911f8eb394ff..d966a3aff1d33 100644 +--- a/net/netfilter/nft_osf.c ++++ b/net/netfilter/nft_osf.c +@@ -115,9 +115,21 @@ static int nft_osf_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **data) + { +- return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) | +- (1 << NF_INET_PRE_ROUTING) | +- (1 << NF_INET_FORWARD)); ++ unsigned int hooks; ++ ++ switch (ctx->family) { ++ case NFPROTO_IPV4: ++ case NFPROTO_IPV6: ++ case NFPROTO_INET: ++ hooks = (1 << NF_INET_LOCAL_IN) | ++ (1 << NF_INET_PRE_ROUTING) | ++ (1 << NF_INET_FORWARD); ++ break; ++ default: ++ return -EOPNOTSUPP; ++ } ++ ++ return nft_chain_validate_hooks(ctx->chain, hooks); + } + + static struct nft_expr_type nft_osf_type; +-- +2.35.1 + diff --git a/queue-5.4/netfilter-nft_payload-do-not-truncate-csum_offset-an.patch b/queue-5.4/netfilter-nft_payload-do-not-truncate-csum_offset-an.patch new file mode 100644 index 00000000000..1d3633f81c1 --- /dev/null +++ b/queue-5.4/netfilter-nft_payload-do-not-truncate-csum_offset-an.patch @@ -0,0 +1,72 @@ +From 26880ed09a1b74ffed48faafcd722cc81acdb5cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 11:55:19 +0200 +Subject: netfilter: nft_payload: do not truncate csum_offset and csum_type + +From: Pablo Neira Ayuso + +[ Upstream commit 7044ab281febae9e2fa9b0b247693d6026166293 ] + +Instead report ERANGE if csum_offset is too long, and EOPNOTSUPP if type +is not support. + +Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_payload.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index 7520ec17cabb7..6ed6ccef5e1ad 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -558,6 +558,8 @@ static int nft_payload_set_init(const struct nft_ctx *ctx, + const struct nlattr * const tb[]) + { + struct nft_payload_set *priv = nft_expr_priv(expr); ++ u32 csum_offset, csum_type = NFT_PAYLOAD_CSUM_NONE; ++ int err; + + priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE])); + priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); +@@ -565,11 +567,15 @@ static int nft_payload_set_init(const struct nft_ctx *ctx, + priv->sreg = nft_parse_register(tb[NFTA_PAYLOAD_SREG]); + + if (tb[NFTA_PAYLOAD_CSUM_TYPE]) +- priv->csum_type = +- ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE])); +- if (tb[NFTA_PAYLOAD_CSUM_OFFSET]) +- priv->csum_offset = +- ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_OFFSET])); ++ csum_type = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE])); ++ if (tb[NFTA_PAYLOAD_CSUM_OFFSET]) { ++ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_CSUM_OFFSET], U8_MAX, ++ &csum_offset); ++ if (err < 0) ++ return err; ++ ++ priv->csum_offset = csum_offset; ++ } + if (tb[NFTA_PAYLOAD_CSUM_FLAGS]) { + u32 flags; + +@@ -580,13 +586,14 @@ static int nft_payload_set_init(const struct nft_ctx *ctx, + priv->csum_flags = flags; + } + +- switch (priv->csum_type) { ++ switch (csum_type) { + case NFT_PAYLOAD_CSUM_NONE: + case NFT_PAYLOAD_CSUM_INET: + break; + default: + return -EOPNOTSUPP; + } ++ priv->csum_type = csum_type; + + return nft_validate_register_load(priv->sreg, priv->len); + } +-- +2.35.1 + diff --git a/queue-5.4/netfilter-nft_payload-report-erange-for-too-long-off.patch b/queue-5.4/netfilter-nft_payload-report-erange-for-too-long-off.patch new file mode 100644 index 00000000000..c2eed224850 --- /dev/null +++ b/queue-5.4/netfilter-nft_payload-report-erange-for-too-long-off.patch @@ -0,0 +1,49 @@ +From eb39029f4d9188057715449ece1ae53dfd16a20c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 11:47:04 +0200 +Subject: netfilter: nft_payload: report ERANGE for too long offset and length + +From: Pablo Neira Ayuso + +[ Upstream commit 94254f990c07e9ddf1634e0b727fab821c3b5bf9 ] + +Instead of offset and length are truncation to u8, report ERANGE. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_payload.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index cf0512fc648e7..7520ec17cabb7 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -624,6 +624,7 @@ nft_payload_select_ops(const struct nft_ctx *ctx, + { + enum nft_payload_bases base; + unsigned int offset, len; ++ int err; + + if (tb[NFTA_PAYLOAD_BASE] == NULL || + tb[NFTA_PAYLOAD_OFFSET] == NULL || +@@ -649,8 +650,13 @@ nft_payload_select_ops(const struct nft_ctx *ctx, + if (tb[NFTA_PAYLOAD_DREG] == NULL) + return ERR_PTR(-EINVAL); + +- offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); +- len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); ++ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_OFFSET], U8_MAX, &offset); ++ if (err < 0) ++ return ERR_PTR(err); ++ ++ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_LEN], U8_MAX, &len); ++ if (err < 0) ++ return ERR_PTR(err); + + if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) && + base != NFT_PAYLOAD_LL_HEADER) +-- +2.35.1 + diff --git a/queue-5.4/netfilter-nft_tunnel-restrict-it-to-netdev-family.patch b/queue-5.4/netfilter-nft_tunnel-restrict-it-to-netdev-family.patch new file mode 100644 index 00000000000..e19084c2667 --- /dev/null +++ b/queue-5.4/netfilter-nft_tunnel-restrict-it-to-netdev-family.patch @@ -0,0 +1,33 @@ +From 6c3de44f7a8cabf9e61909de691218d9b8d8198a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 16:32:44 +0200 +Subject: netfilter: nft_tunnel: restrict it to netdev family + +From: Pablo Neira Ayuso + +[ Upstream commit 01e4092d53bc4fe122a6e4b6d664adbd57528ca3 ] + +Only allow to use this expression from NFPROTO_NETDEV family. + +Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_tunnel.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c +index 1effd4878619f..4e850c81ad8d8 100644 +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -134,6 +134,7 @@ static const struct nft_expr_ops nft_tunnel_get_ops = { + + static struct nft_expr_type nft_tunnel_type __read_mostly = { + .name = "tunnel", ++ .family = NFPROTO_NETDEV, + .ops = &nft_tunnel_get_ops, + .policy = nft_tunnel_policy, + .maxattr = NFTA_TUNNEL_MAX, +-- +2.35.1 + diff --git a/queue-5.4/ratelimit-fix-data-races-in-___ratelimit.patch b/queue-5.4/ratelimit-fix-data-races-in-___ratelimit.patch new file mode 100644 index 00000000000..5a37f3aba63 --- /dev/null +++ b/queue-5.4/ratelimit-fix-data-races-in-___ratelimit.patch @@ -0,0 +1,64 @@ +From a0be6fb37b65b9c62bf4dc47b0c58768657cfbdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:48 -0700 +Subject: ratelimit: Fix data-races in ___ratelimit(). + +From: Kuniyuki Iwashima + +[ Upstream commit 6bae8ceb90ba76cdba39496db936164fa672b9be ] + +While reading rs->interval and rs->burst, they can be changed +concurrently via sysctl (e.g. net_ratelimit_state). Thus, we +need to add READ_ONCE() to their readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + lib/ratelimit.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/lib/ratelimit.c b/lib/ratelimit.c +index e01a93f46f833..ce945c17980b9 100644 +--- a/lib/ratelimit.c ++++ b/lib/ratelimit.c +@@ -26,10 +26,16 @@ + */ + int ___ratelimit(struct ratelimit_state *rs, const char *func) + { ++ /* Paired with WRITE_ONCE() in .proc_handler(). ++ * Changing two values seperately could be inconsistent ++ * and some message could be lost. (See: net_ratelimit_state). ++ */ ++ int interval = READ_ONCE(rs->interval); ++ int burst = READ_ONCE(rs->burst); + unsigned long flags; + int ret; + +- if (!rs->interval) ++ if (!interval) + return 1; + + /* +@@ -44,7 +50,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *func) + if (!rs->begin) + rs->begin = jiffies; + +- if (time_is_before_jiffies(rs->begin + rs->interval)) { ++ if (time_is_before_jiffies(rs->begin + interval)) { + if (rs->missed) { + if (!(rs->flags & RATELIMIT_MSG_ON_RELEASE)) { + printk_deferred(KERN_WARNING +@@ -56,7 +62,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *func) + rs->begin = jiffies; + rs->printed = 0; + } +- if (rs->burst && rs->burst > rs->printed) { ++ if (burst && burst > rs->printed) { + rs->printed++; + ret = 1; + } else { +-- +2.35.1 + diff --git a/queue-5.4/rose-check-null-rose_loopback_neigh-loopback.patch b/queue-5.4/rose-check-null-rose_loopback_neigh-loopback.patch new file mode 100644 index 00000000000..51d2c8e1859 --- /dev/null +++ b/queue-5.4/rose-check-null-rose_loopback_neigh-loopback.patch @@ -0,0 +1,69 @@ +From 3396ede06490c8cdca40b2fb007e1163909e5404 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 02:02:13 +0200 +Subject: rose: check NULL rose_loopback_neigh->loopback + +From: Bernard Pidoux + +[ Upstream commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 ] + +Commit 3b3fd068c56e3fbea30090859216a368398e39bf added NULL check for +`rose_loopback_neigh->dev` in rose_loopback_timer() but omitted to +check rose_loopback_neigh->loopback. + +It thus prevents *all* rose connect. + +The reason is that a special rose_neigh loopback has a NULL device. + +/proc/net/rose_neigh illustrates it via rose_neigh_show() function : +[...] +seq_printf(seq, "%05d %-9s %-4s %3d %3d %3s %3s %3lu %3lu", + rose_neigh->number, + (rose_neigh->loopback) ? "RSLOOP-0" : ax2asc(buf, &rose_neigh->callsign), + rose_neigh->dev ? rose_neigh->dev->name : "???", + rose_neigh->count, + +/proc/net/rose_neigh displays special rose_loopback_neigh->loopback as +callsign RSLOOP-0: + +addr callsign dev count use mode restart t0 tf digipeaters +00001 RSLOOP-0 ??? 1 2 DCE yes 0 0 + +By checking rose_loopback_neigh->loopback, rose_rx_call_request() is called +even in case rose_loopback_neigh->dev is NULL. This repairs rose connections. + +Verification with rose client application FPAC: + +FPAC-Node v 4.1.3 (built Aug 5 2022) for LINUX (help = h) +F6BVP-4 (Commands = ?) : u +Users - AX.25 Level 2 sessions : +Port Callsign Callsign AX.25 state ROSE state NetRom status +axudp F6BVP-5 -> F6BVP-9 Connected Connected --------- + +Fixes: 3b3fd068c56e ("rose: Fix Null pointer dereference in rose_send_frame()") +Signed-off-by: Bernard Pidoux +Suggested-by: Francois Romieu +Cc: Thomas DL9SAU Osterried +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rose/rose_loopback.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c +index 11c45c8c6c164..036d92c0ad794 100644 +--- a/net/rose/rose_loopback.c ++++ b/net/rose/rose_loopback.c +@@ -96,7 +96,8 @@ static void rose_loopback_timer(struct timer_list *unused) + } + + if (frametype == ROSE_CALL_REQUEST) { +- if (!rose_loopback_neigh->dev) { ++ if (!rose_loopback_neigh->dev && ++ !rose_loopback_neigh->loopback) { + kfree_skb(skb); + continue; + } +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 923419e2aa3..91183a21df7 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -9,3 +9,27 @@ sched-deadline-unthrottle-pi-boosted-threads-while-enqueuing.patch sched-deadline-fix-stale-throttling-on-de-boosted-tasks.patch sched-deadline-fix-priority-inheritance-with-multiple-scheduling-classes.patch kernel-sched-remove-dl_boosted-flag-comment.patch +xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch +af_key-do-not-call-xfrm_probe_algs-in-parallel.patch +sunrpc-rpc-level-errors-should-set-task-tk_rpc_statu.patch +rose-check-null-rose_loopback_neigh-loopback.patch +net-mlx5e-properly-disable-vlan-strip-on-non-ul-reps.patch +net-moxa-get-rid-of-asymmetry-in-dma-mapping-unmappi.patch +bonding-802.3ad-fix-no-transmission-of-lacpdus.patch +net-ipvtap-add-__init-__exit-annotations-to-module-i.patch +netfilter-ebtables-reject-blobs-that-don-t-provide-a.patch +bnxt_en-fix-nq-resource-accounting-during-vf-creatio.patch +netfilter-nft_payload-report-erange-for-too-long-off.patch +netfilter-nft_payload-do-not-truncate-csum_offset-an.patch +netfilter-nft_osf-restrict-osf-to-ipv4-ipv6-and-inet.patch +netfilter-nft_tunnel-restrict-it-to-netdev-family.patch +net-fix-data-races-around-weight_p-and-dev_weight_-r.patch +net-fix-data-races-around-netdev_tstamp_prequeue.patch +ratelimit-fix-data-races-in-___ratelimit.patch +net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch +net-fix-a-data-race-around-sysctl_net_busy_poll.patch +net-fix-a-data-race-around-sysctl_net_busy_read.patch +net-fix-a-data-race-around-netdev_budget.patch +net-fix-a-data-race-around-netdev_budget_usecs.patch +net-fix-a-data-race-around-sysctl_somaxconn.patch +ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch diff --git a/queue-5.4/sunrpc-rpc-level-errors-should-set-task-tk_rpc_statu.patch b/queue-5.4/sunrpc-rpc-level-errors-should-set-task-tk_rpc_statu.patch new file mode 100644 index 00000000000..0968ad4c22f --- /dev/null +++ b/queue-5.4/sunrpc-rpc-level-errors-should-set-task-tk_rpc_statu.patch @@ -0,0 +1,35 @@ +From 37525be5d16b8b158277314b4862d82baeeabf59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 14:55:03 -0400 +Subject: SUNRPC: RPC level errors should set task->tk_rpc_status + +From: Trond Myklebust + +[ Upstream commit ed06fce0b034b2e25bd93430f5c4cbb28036cc1a ] + +Fix up a case in call_encode() where we're failing to set +task->tk_rpc_status when an RPC level error occurred. + +Fixes: 9c5948c24869 ("SUNRPC: task should be exit if encode return EKEYEXPIRED more times") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 08e1ccc01e983..1893203cc94fc 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1896,7 +1896,7 @@ call_encode(struct rpc_task *task) + break; + case -EKEYEXPIRED: + if (!task->tk_cred_retry) { +- rpc_exit(task, task->tk_status); ++ rpc_call_rpcerror(task, task->tk_status); + } else { + task->tk_action = call_refresh; + task->tk_cred_retry--; +-- +2.35.1 + diff --git a/queue-5.4/xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch b/queue-5.4/xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch new file mode 100644 index 00000000000..15ce37c804f --- /dev/null +++ b/queue-5.4/xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch @@ -0,0 +1,41 @@ +From 693aae19bb32548338d8a496f82ce2487577b6ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Jul 2022 17:55:58 +0800 +Subject: xfrm: fix refcount leak in __xfrm_policy_check() + +From: Xin Xiong + +[ Upstream commit 9c9cb23e00ddf45679b21b4dacc11d1ae7961ebe ] + +The issue happens on an error path in __xfrm_policy_check(). When the +fetching process of the object `pols[1]` fails, the function simply +returns 0, forgetting to decrement the reference count of `pols[0]`, +which is incremented earlier by either xfrm_sk_policy_lookup() or +xfrm_policy_lookup(). This may result in memory leaks. + +Fix it by decreasing the reference count of `pols[0]` in that path. + +Fixes: 134b0fc544ba ("IPsec: propagate security module errors up from flow_cache_lookup") +Signed-off-by: Xin Xiong +Signed-off-by: Xin Tan +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 28a8cdef8e51f..6f58be5a17711 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3619,6 +3619,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + if (pols[1]) { + if (IS_ERR(pols[1])) { + XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); ++ xfrm_pol_put(pols[0]); + return 0; + } + pols[1]->curlft.use_time = ktime_get_real_seconds(); +-- +2.35.1 +