From: Sasha Levin Date: Sun, 19 Mar 2023 12:04:23 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.14.311~66 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=874e518f6b8f6a5fe7d65570bf4fe35d591dfe98;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-hda-match-only-intel-devices-with-controller_in.patch b/queue-5.10/alsa-hda-match-only-intel-devices-with-controller_in.patch new file mode 100644 index 00000000000..59258f564a7 --- /dev/null +++ b/queue-5.10/alsa-hda-match-only-intel-devices-with-controller_in.patch @@ -0,0 +1,50 @@ +From a85942a7550aaace6c0552173a8b7e403d8b7658 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 15:40:54 -0600 +Subject: ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU() + +From: Bjorn Helgaas + +[ Upstream commit ff447886e675979d66b2bc01810035d3baea1b3a ] + +CONTROLLER_IN_GPU() is clearly intended to match only Intel devices, but +previously it checked only the PCI Device ID, not the Vendor ID, so it +could match devices from other vendors that happened to use the same Device +ID. + +Update CONTROLLER_IN_GPU() so it matches only Intel devices. + +Fixes: 535115b5ff51 ("ALSA: hda - Abort the probe without i915 binding for HSW/B") +Signed-off-by: Bjorn Helgaas +Link: https://lore.kernel.org/r/20230307214054.886721-1-helgaas@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 494bfd2135a9e..de1fe604905f3 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -365,14 +365,15 @@ enum { + #define needs_eld_notify_link(chip) false + #endif + +-#define CONTROLLER_IN_GPU(pci) (((pci)->device == 0x0a0c) || \ ++#define CONTROLLER_IN_GPU(pci) (((pci)->vendor == 0x8086) && \ ++ (((pci)->device == 0x0a0c) || \ + ((pci)->device == 0x0c0c) || \ + ((pci)->device == 0x0d0c) || \ + ((pci)->device == 0x160c) || \ + ((pci)->device == 0x490d) || \ + ((pci)->device == 0x4f90) || \ + ((pci)->device == 0x4f91) || \ +- ((pci)->device == 0x4f92)) ++ ((pci)->device == 0x4f92))) + + #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98) + +-- +2.39.2 + diff --git a/queue-5.10/block-null_blk-fix-handling-of-fake-timeout-request.patch b/queue-5.10/block-null_blk-fix-handling-of-fake-timeout-request.patch new file mode 100644 index 00000000000..b30065e388c --- /dev/null +++ b/queue-5.10/block-null_blk-fix-handling-of-fake-timeout-request.patch @@ -0,0 +1,57 @@ +From 35199e75ed0162860fd06e42a2a28b42e2064358 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 13:11:05 +0900 +Subject: block: null_blk: Fix handling of fake timeout request + +From: Damien Le Moal + +[ Upstream commit 63f886597085f346276e3b3c8974de0100d65f32 ] + +When injecting a fake timeout into the null_blk driver using +fail_io_timeout, the request timeout handler does not execute +blk_mq_complete_request(), so the complete callback is never executed +for a timedout request. + +The null_blk driver also has a driver-specific fake timeout mechanism +which does not have this problem. Fix the problem with fail_io_timeout +by using the same meachanism as null_blk internal timeout feature, using +the fake_timeout field of null_blk commands. + +Reported-by: Akinobu Mita +Fixes: de3510e52b0a ("null_blk: fix command timeout completion handling") +Signed-off-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20230314041106.19173-2-damien.lemoal@opensource.wdc.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk/main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c +index c6ba8f9f3f311..25db095e943b7 100644 +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -1309,8 +1309,7 @@ static inline void nullb_complete_cmd(struct nullb_cmd *cmd) + case NULL_IRQ_SOFTIRQ: + switch (cmd->nq->dev->queue_mode) { + case NULL_Q_MQ: +- if (likely(!blk_should_fake_timeout(cmd->rq->q))) +- blk_mq_complete_request(cmd->rq); ++ blk_mq_complete_request(cmd->rq); + break; + case NULL_Q_BIO: + /* +@@ -1486,7 +1485,8 @@ static blk_status_t null_queue_rq(struct blk_mq_hw_ctx *hctx, + cmd->rq = bd->rq; + cmd->error = BLK_STS_OK; + cmd->nq = nq; +- cmd->fake_timeout = should_timeout_request(bd->rq); ++ cmd->fake_timeout = should_timeout_request(bd->rq) || ++ blk_should_fake_timeout(bd->rq->q); + + blk_mq_start_request(bd->rq); + +-- +2.39.2 + diff --git a/queue-5.10/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch b/queue-5.10/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch new file mode 100644 index 00000000000..e4183db4cc9 --- /dev/null +++ b/queue-5.10/block-sunvdc-add-check-for-mdesc_grab-returning-null.patch @@ -0,0 +1,38 @@ +From 10f0ff080b177e67611641c26823b3def62daf73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:20:32 +0800 +Subject: block: sunvdc: add check for mdesc_grab() returning NULL + +From: Liang He + +[ Upstream commit 6030363199e3a6341afb467ddddbed56640cbf6a ] + +In vdc_port_probe(), we should check the return value of mdesc_grab() as +it may return NULL, which can cause potential NPD bug. + +Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20230315062032.1741692-1-windhl@126.com +[axboe: style cleanup] +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/sunvdc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c +index 39aeebc6837da..d9e41d3bbe717 100644 +--- a/drivers/block/sunvdc.c ++++ b/drivers/block/sunvdc.c +@@ -984,6 +984,8 @@ static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + print_version(); + + hp = mdesc_grab(); ++ if (!hp) ++ return -ENODEV; + + err = -ENODEV; + if ((vdev->dev_no << PARTITION_SHIFT) & ~(u64)MINORMASK) { +-- +2.39.2 + diff --git a/queue-5.10/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch b/queue-5.10/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch new file mode 100644 index 00000000000..78359266586 --- /dev/null +++ b/queue-5.10/cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch @@ -0,0 +1,117 @@ +From dd61a70ea60246c63dcf35e57b3fbdfe3d23124d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 11:11:36 +0800 +Subject: cifs: Move the in_send statistic to __smb_send_rqst() + +From: Zhang Xiaoxu + +[ Upstream commit d0dc41119905f740e8d5594adce277f7c0de8c92 ] + +When send SMB_COM_NT_CANCEL and RFC1002_SESSION_REQUEST, the +in_send statistic was lost. + +Let's move the in_send statistic to the send function to avoid +this scenario. + +Fixes: 7ee1af765dfa ("[CIFS]") +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/transport.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c +index b137006f0fd25..4409f56fc37e6 100644 +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -312,7 +312,7 @@ static int + __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + struct smb_rqst *rqst) + { +- int rc = 0; ++ int rc; + struct kvec *iov; + int n_vec; + unsigned int send_length = 0; +@@ -323,6 +323,7 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + struct msghdr smb_msg = {}; + __be32 rfc1002_marker; + ++ cifs_in_send_inc(server); + if (cifs_rdma_enabled(server)) { + /* return -EAGAIN when connecting or reconnecting */ + rc = -EAGAIN; +@@ -331,14 +332,17 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + goto smbd_done; + } + ++ rc = -EAGAIN; + if (ssocket == NULL) +- return -EAGAIN; ++ goto out; + ++ rc = -ERESTARTSYS; + if (fatal_signal_pending(current)) { + cifs_dbg(FYI, "signal pending before send request\n"); +- return -ERESTARTSYS; ++ goto out; + } + ++ rc = 0; + /* cork the socket */ + tcp_sock_set_cork(ssocket->sk, true); + +@@ -449,7 +453,8 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + rc); + else if (rc > 0) + rc = 0; +- ++out: ++ cifs_in_send_dec(server); + return rc; + } + +@@ -826,9 +831,7 @@ cifs_call_async(struct TCP_Server_Info *server, struct smb_rqst *rqst, + * I/O response may come back and free the mid entry on another thread. + */ + cifs_save_when_sent(mid); +- cifs_in_send_inc(server); + rc = smb_send_rqst(server, 1, rqst, flags); +- cifs_in_send_dec(server); + + if (rc < 0) { + revert_current_mid(server, mid->credits); +@@ -1117,9 +1120,7 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses, + else + midQ[i]->callback = cifs_compound_last_callback; + } +- cifs_in_send_inc(server); + rc = smb_send_rqst(server, num_rqst, rqst, flags); +- cifs_in_send_dec(server); + + for (i = 0; i < num_rqst; i++) + cifs_save_when_sent(midQ[i]); +@@ -1356,9 +1357,7 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses, + + midQ->mid_state = MID_REQUEST_SUBMITTED; + +- cifs_in_send_inc(server); + rc = smb_send(server, in_buf, len); +- cifs_in_send_dec(server); + cifs_save_when_sent(midQ); + + if (rc < 0) +@@ -1495,9 +1494,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon, + } + + midQ->mid_state = MID_REQUEST_SUBMITTED; +- cifs_in_send_inc(server); + rc = smb_send(server, in_buf, len); +- cifs_in_send_dec(server); + cifs_save_when_sent(midQ); + + if (rc < 0) +-- +2.39.2 + diff --git a/queue-5.10/clk-hi655x-select-regmap-instead-of-depending-on-it.patch b/queue-5.10/clk-hi655x-select-regmap-instead-of-depending-on-it.patch new file mode 100644 index 00000000000..b22a0bbab89 --- /dev/null +++ b/queue-5.10/clk-hi655x-select-regmap-instead-of-depending-on-it.patch @@ -0,0 +1,47 @@ +From cb65599a447db5b6f42b6e88bb121354bcad98ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 21:39:47 -0800 +Subject: clk: HI655X: select REGMAP instead of depending on it + +From: Randy Dunlap + +[ Upstream commit 0ffad67784a097beccf34d297ddd1b0773b3b8a3 ] + +REGMAP is a hidden (not user visible) symbol. Users cannot set it +directly thru "make *config", so drivers should select it instead of +depending on it if they need it. + +Consistently using "select" or "depends on" can also help reduce +Kconfig circular dependency issues. + +Therefore, change the use of "depends on REGMAP" to "select REGMAP". + +Fixes: 3a49afb84ca0 ("clk: enable hi655x common clk automatically") +Signed-off-by: Randy Dunlap +Cc: Riku Voipio +Cc: Stephen Boyd +Cc: Michael Turquette +Cc: linux-clk@vger.kernel.org +Link: https://lore.kernel.org/r/20230226053953.4681-3-rdunlap@infradead.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/Kconfig b/drivers/clk/Kconfig +index c715d4681a0b8..4ae49eae45869 100644 +--- a/drivers/clk/Kconfig ++++ b/drivers/clk/Kconfig +@@ -79,7 +79,7 @@ config COMMON_CLK_RK808 + config COMMON_CLK_HI655X + tristate "Clock driver for Hi655x" if EXPERT + depends on (MFD_HI655X_PMIC || COMPILE_TEST) +- depends on REGMAP ++ select REGMAP + default MFD_HI655X_PMIC + help + This driver supports the hi655x PMIC clock. This +-- +2.39.2 + diff --git a/queue-5.10/docs-correct-missing-d_-prefix-for-dentry_operations.patch b/queue-5.10/docs-correct-missing-d_-prefix-for-dentry_operations.patch new file mode 100644 index 00000000000..db048d841f3 --- /dev/null +++ b/queue-5.10/docs-correct-missing-d_-prefix-for-dentry_operations.patch @@ -0,0 +1,39 @@ +From b6c8586c00f80347a279df9394ebf85871446eee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 12:40:42 -0600 +Subject: docs: Correct missing "d_" prefix for dentry_operations member + d_weak_revalidate + +From: Glenn Washburn + +[ Upstream commit 74596085796fae0cfce3e42ee46bf4f8acbdac55 ] + +The details for struct dentry_operations member d_weak_revalidate is +missing a "d_" prefix. + +Fixes: af96c1e304f7 ("docs: filesystems: vfs: Convert vfs.txt to RST") +Signed-off-by: Glenn Washburn +Reviewed-by: Matthew Wilcox (Oracle) +Link: https://lore.kernel.org/r/20230227184042.2375235-1-development@efficientek.com +Signed-off-by: Jonathan Corbet +Signed-off-by: Sasha Levin +--- + Documentation/filesystems/vfs.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/filesystems/vfs.rst b/Documentation/filesystems/vfs.rst +index ca52c82e5bb54..f7b69a0e71e1c 100644 +--- a/Documentation/filesystems/vfs.rst ++++ b/Documentation/filesystems/vfs.rst +@@ -1188,7 +1188,7 @@ defined: + return + -ECHILD and it will be called again in ref-walk mode. + +-``_weak_revalidate`` ++``d_weak_revalidate`` + called when the VFS needs to revalidate a "jumped" dentry. This + is called when a path-walk ends at dentry that was not acquired + by doing a lookup in the parent directory. This includes "/", +-- +2.39.2 + diff --git a/queue-5.10/drm-bridge-fix-returned-array-size-name-for-atomic_g.patch b/queue-5.10/drm-bridge-fix-returned-array-size-name-for-atomic_g.patch new file mode 100644 index 00000000000..3b89b98b1c2 --- /dev/null +++ b/queue-5.10/drm-bridge-fix-returned-array-size-name-for-atomic_g.patch @@ -0,0 +1,47 @@ +From c6d1385c3494116f7a28127330db8d2412521710 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 13:50:35 +0800 +Subject: drm/bridge: Fix returned array size name for + atomic_get_input_bus_fmts kdoc + +From: Liu Ying + +[ Upstream commit 0d3c9333d976af41d7dbc6bf4d9d2e95fbdf9c89 ] + +The returned array size for input formats is set through +atomic_get_input_bus_fmts()'s 'num_input_fmts' argument, so use +'num_input_fmts' to represent the array size in the function's kdoc, +not 'num_output_fmts'. + +Fixes: 91ea83306bfa ("drm/bridge: Fix the bridge kernel doc") +Fixes: f32df58acc68 ("drm/bridge: Add the necessary bits to support bus format negotiation") +Signed-off-by: Liu Ying +Reviewed-by: Robert Foss +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230314055035.3731179-1-victor.liu@nxp.com +Signed-off-by: Sasha Levin +--- + include/drm/drm_bridge.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h +index 2195daa289d27..055486e35e68f 100644 +--- a/include/drm/drm_bridge.h ++++ b/include/drm/drm_bridge.h +@@ -427,11 +427,11 @@ struct drm_bridge_funcs { + * + * The returned array must be allocated with kmalloc() and will be + * freed by the caller. If the allocation fails, NULL should be +- * returned. num_output_fmts must be set to the returned array size. ++ * returned. num_input_fmts must be set to the returned array size. + * Formats listed in the returned array should be listed in decreasing + * preference order (the core will try all formats until it finds one + * that works). When the format is not supported NULL should be +- * returned and num_output_fmts should be set to 0. ++ * returned and num_input_fmts should be set to 0. + * + * This method is called on all elements of the bridge chain as part of + * the bus format negotiation process that happens in +-- +2.39.2 + diff --git a/queue-5.10/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch b/queue-5.10/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch new file mode 100644 index 00000000000..0408d9fe404 --- /dev/null +++ b/queue-5.10/drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch @@ -0,0 +1,45 @@ +From 34d9fa92051414ec7ecb9d3cd988b832e9d690d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 12:33:12 +0000 +Subject: drm/meson: fix 1px pink line on GXM when scaling video overlay + +From: Christian Hewitt + +[ Upstream commit 5c8cf1664f288098a971a1d1e65716a2b6a279e1 ] + +Playing media with a resolution smaller than the crtc size requires the +video overlay to be scaled for output and GXM boards display a 1px pink +line on the bottom of the scaled overlay. Comparing with the downstream +vendor driver revealed VPP_DUMMY_DATA not being set [0]. + +Setting VPP_DUMMY_DATA prevents the 1px pink line from being seen. + +[0] https://github.com/endlessm/linux-s905x/blob/master/drivers/amlogic/amports/video.c#L7869 + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Suggested-by: Martin Blumenstingl +Signed-off-by: Christian Hewitt +Acked-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230303123312.155164-1-christianshewitt@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_vpp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/meson/meson_vpp.c b/drivers/gpu/drm/meson/meson_vpp.c +index 154837688ab0d..5df1957c8e41f 100644 +--- a/drivers/gpu/drm/meson/meson_vpp.c ++++ b/drivers/gpu/drm/meson/meson_vpp.c +@@ -100,6 +100,8 @@ void meson_vpp_init(struct meson_drm *priv) + priv->io_base + _REG(VPP_DOLBY_CTRL)); + writel_relaxed(0x1020080, + priv->io_base + _REG(VPP_DUMMY_DATA1)); ++ writel_relaxed(0x42020, ++ priv->io_base + _REG(VPP_DUMMY_DATA)); + } else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) + writel_relaxed(0xf, priv->io_base + _REG(DOLBY_PATH_CTRL)); + +-- +2.39.2 + diff --git a/queue-5.10/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch b/queue-5.10/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch new file mode 100644 index 00000000000..3694681a33e --- /dev/null +++ b/queue-5.10/drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch @@ -0,0 +1,38 @@ +From cbace63036a95b38515ec2b1a5adcde22052d65f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 04:40:38 +0300 +Subject: drm/panfrost: Don't sync rpm suspension after mmu flushing + +From: Dmitry Osipenko + +[ Upstream commit ba3be66f11c3c49afaa9f49b99e21d88756229ef ] + +Lockdep warns about potential circular locking dependency of devfreq +with the fs_reclaim caused by immediate device suspension when mapping is +released by shrinker. Fix it by doing the suspension asynchronously. + +Reviewed-by: Steven Price +Fixes: ec7eba47da86 ("drm/panfrost: Rework page table flushing and runtime PM interaction") +Signed-off-by: Dmitry Osipenko +Link: https://lore.kernel.org/all/20230108210445.3948344-3-dmitry.osipenko@collabora.com/ +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_mmu.c b/drivers/gpu/drm/panfrost/panfrost_mmu.c +index 13596961ae17f..5ff856ef7d88c 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c +@@ -236,7 +236,7 @@ static void panfrost_mmu_flush_range(struct panfrost_device *pfdev, + if (pm_runtime_active(pfdev->dev)) + mmu_hw_do_operation(pfdev, mmu, iova, size, AS_COMMAND_FLUSH_PT); + +- pm_runtime_put_sync_autosuspend(pfdev->dev); ++ pm_runtime_put_autosuspend(pfdev->dev); + } + + static int mmu_map_sg(struct panfrost_device *pfdev, struct panfrost_mmu *mmu, +-- +2.39.2 + diff --git a/queue-5.10/ethernet-sun-add-check-for-the-mdesc_grab.patch b/queue-5.10/ethernet-sun-add-check-for-the-mdesc_grab.patch new file mode 100644 index 00000000000..41192a76d47 --- /dev/null +++ b/queue-5.10/ethernet-sun-add-check-for-the-mdesc_grab.patch @@ -0,0 +1,55 @@ +From 296c10c12d5b09e5ecd9cc7e5d9446b1ff8baae7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:00:21 +0800 +Subject: ethernet: sun: add check for the mdesc_grab() + +From: Liang He + +[ Upstream commit 90de546d9a0b3c771667af18bb3f80567eabb89b ] + +In vnet_port_probe() and vsw_port_probe(), we should +check the return value of mdesc_grab() as it may +return NULL which can caused NPD bugs. + +Fixes: 5d01fa0c6bd8 ("ldmvsw: Add ldmvsw.c driver code") +Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.") +Signed-off-by: Liang He +Reviewed-by: Piotr Raczynski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/ldmvsw.c | 3 +++ + drivers/net/ethernet/sun/sunvnet.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/sun/ldmvsw.c b/drivers/net/ethernet/sun/ldmvsw.c +index 01ea0d6f88193..934a4b54784b8 100644 +--- a/drivers/net/ethernet/sun/ldmvsw.c ++++ b/drivers/net/ethernet/sun/ldmvsw.c +@@ -290,6 +290,9 @@ static int vsw_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + + hp = mdesc_grab(); + ++ if (!hp) ++ return -ENODEV; ++ + rmac = mdesc_get_property(hp, vdev->mp, remote_macaddr_prop, &len); + err = -ENODEV; + if (!rmac) { +diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c +index 96b883f965f63..b6c03adf1e762 100644 +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -431,6 +431,9 @@ static int vnet_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + + hp = mdesc_grab(); + ++ if (!hp) ++ return -ENODEV; ++ + vp = vnet_find_parent(hp, vdev->mp, vdev); + if (IS_ERR(vp)) { + pr_err("Cannot find port parent vnet\n"); +-- +2.39.2 + diff --git a/queue-5.10/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch b/queue-5.10/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch new file mode 100644 index 00000000000..d76dc06eb24 --- /dev/null +++ b/queue-5.10/i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch @@ -0,0 +1,91 @@ +From a72816c60a128c8917d321927d577875640a22c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 10:45:09 -0800 +Subject: i40e: Fix kernel crash during reboot when adapter is in recovery mode + +From: Ivan Vecera + +[ Upstream commit 7e4f8a0c495413a50413e8c9f1032ce1bc633bae ] + +If the driver detects during probe that firmware is in recovery +mode then i40e_init_recovery_mode() is called and the rest of +probe function is skipped including pci_set_drvdata(). Subsequent +i40e_shutdown() called during shutdown/reboot dereferences NULL +pointer as pci_get_drvdata() returns NULL. + +To fix call pci_set_drvdata() also during entering to recovery mode. + +Reproducer: +1) Lets have i40e NIC with firmware in recovery mode +2) Run reboot + +Result: +[ 139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver +[ 139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corporation. +[ 139.108438] i40e 0000:02:00.0: Firmware recovery mode detected. Limiting functionality. +[ 139.116439] i40e 0000:02:00.0: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode. +[ 139.129499] i40e 0000:02:00.0: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a] +[ 139.215932] i40e 0000:02:00.0 enp2s0f0: renamed from eth0 +[ 139.223292] i40e 0000:02:00.1: Firmware recovery mode detected. Limiting functionality. +[ 139.231292] i40e 0000:02:00.1: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode. +[ 139.244406] i40e 0000:02:00.1: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a] +[ 139.329209] i40e 0000:02:00.1 enp2s0f1: renamed from eth0 +... +[ 156.311376] BUG: kernel NULL pointer dereference, address: 00000000000006c2 +[ 156.318330] #PF: supervisor write access in kernel mode +[ 156.323546] #PF: error_code(0x0002) - not-present page +[ 156.328679] PGD 0 P4D 0 +[ 156.331210] Oops: 0002 [#1] PREEMPT SMP NOPTI +[ 156.335567] CPU: 26 PID: 15119 Comm: reboot Tainted: G E 6.2.0+ #1 +[ 156.343126] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022 +[ 156.353369] RIP: 0010:i40e_shutdown+0x15/0x130 [i40e] +[ 156.358430] Code: c1 fc ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd 53 48 8b 9f 48 01 00 00 80 8b c2 06 00 00 04 f0 80 8b c0 06 00 00 08 48 8d bb 08 08 00 +[ 156.377168] RSP: 0018:ffffb223c8447d90 EFLAGS: 00010282 +[ 156.382384] RAX: ffffffffc073ee70 RBX: 0000000000000000 RCX: 0000000000000001 +[ 156.389510] RDX: 0000000080000001 RSI: 0000000000000246 RDI: ffff95db49988000 +[ 156.396634] RBP: ffff95db49988000 R08: ffffffffffffffff R09: ffffffff8bd17d40 +[ 156.403759] R10: 0000000000000001 R11: ffffffff8a5e3d28 R12: ffff95db49988000 +[ 156.410882] R13: ffffffff89a6fe17 R14: ffff95db49988150 R15: 0000000000000000 +[ 156.418007] FS: 00007fe7c0cc3980(0000) GS:ffff95ea8ee80000(0000) knlGS:0000000000000000 +[ 156.426083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 156.431819] CR2: 00000000000006c2 CR3: 00000003092fc005 CR4: 0000000000770ee0 +[ 156.438944] PKRU: 55555554 +[ 156.441647] Call Trace: +[ 156.444096] +[ 156.446199] pci_device_shutdown+0x38/0x60 +[ 156.450297] device_shutdown+0x163/0x210 +[ 156.454215] kernel_restart+0x12/0x70 +[ 156.457872] __do_sys_reboot+0x1ab/0x230 +[ 156.461789] ? vfs_writev+0xa6/0x1a0 +[ 156.465362] ? __pfx_file_free_rcu+0x10/0x10 +[ 156.469635] ? __call_rcu_common.constprop.85+0x109/0x5a0 +[ 156.475034] do_syscall_64+0x3e/0x90 +[ 156.478611] entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 156.483658] RIP: 0033:0x7fe7bff37ab7 + +Fixes: 4ff0ee1af016 ("i40e: Introduce recovery mode support") +Signed-off-by: Ivan Vecera +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230309184509.984639-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 9e8a20a94862f..76481ff7074ba 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -14851,6 +14851,7 @@ static int i40e_init_recovery_mode(struct i40e_pf *pf, struct i40e_hw *hw) + int err; + int v_idx; + ++ pci_set_drvdata(pf->pdev, pf); + pci_save_state(pf->pdev); + + /* set up periodic task facility */ +-- +2.39.2 + diff --git a/queue-5.10/ice-xsk-disable-txq-irq-before-flushing-hw.patch b/queue-5.10/ice-xsk-disable-txq-irq-before-flushing-hw.patch new file mode 100644 index 00000000000..cfb41dd26b6 --- /dev/null +++ b/queue-5.10/ice-xsk-disable-txq-irq-before-flushing-hw.patch @@ -0,0 +1,111 @@ +From cf848ef23ddb05c9559eaf6bd244ce09755f822a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 10:45:43 -0700 +Subject: ice: xsk: disable txq irq before flushing hw + +From: Maciej Fijalkowski + +[ Upstream commit b830c9642386867863ac64295185f896ff2928ac ] + +ice_qp_dis() intends to stop a given queue pair that is a target of xsk +pool attach/detach. One of the steps is to disable interrupts on these +queues. It currently is broken in a way that txq irq is turned off +*after* HW flush which in turn takes no effect. + +ice_qp_dis(): +-> ice_qvec_dis_irq() +--> disable rxq irq +--> flush hw +-> ice_vsi_stop_tx_ring() +-->disable txq irq + +Below splat can be triggered by following steps: +- start xdpsock WITHOUT loading xdp prog +- run xdp_rxq_info with XDP_TX action on this interface +- start traffic +- terminate xdpsock + +[ 256.312485] BUG: kernel NULL pointer dereference, address: 0000000000000018 +[ 256.319560] #PF: supervisor read access in kernel mode +[ 256.324775] #PF: error_code(0x0000) - not-present page +[ 256.329994] PGD 0 P4D 0 +[ 256.332574] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 256.337006] CPU: 3 PID: 32 Comm: ksoftirqd/3 Tainted: G OE 6.2.0-rc5+ #51 +[ 256.345218] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 +[ 256.355807] RIP: 0010:ice_clean_rx_irq_zc+0x9c/0x7d0 [ice] +[ 256.361423] Code: b7 8f 8a 00 00 00 66 39 ca 0f 84 f1 04 00 00 49 8b 47 40 4c 8b 24 d0 41 0f b7 45 04 66 25 ff 3f 66 89 04 24 0f 84 85 02 00 00 <49> 8b 44 24 18 0f b7 14 24 48 05 00 01 00 00 49 89 04 24 49 89 44 +[ 256.380463] RSP: 0018:ffffc900088bfd20 EFLAGS: 00010206 +[ 256.385765] RAX: 000000000000003c RBX: 0000000000000035 RCX: 000000000000067f +[ 256.393012] RDX: 0000000000000775 RSI: 0000000000000000 RDI: ffff8881deb3ac80 +[ 256.400256] RBP: 000000000000003c R08: ffff889847982710 R09: 0000000000010000 +[ 256.407500] R10: ffffffff82c060c0 R11: 0000000000000004 R12: 0000000000000000 +[ 256.414746] R13: ffff88811165eea0 R14: ffffc9000d255000 R15: ffff888119b37600 +[ 256.421990] FS: 0000000000000000(0000) GS:ffff8897e0cc0000(0000) knlGS:0000000000000000 +[ 256.430207] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 256.436036] CR2: 0000000000000018 CR3: 0000000005c0a006 CR4: 00000000007706e0 +[ 256.443283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 256.450527] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 256.457770] PKRU: 55555554 +[ 256.460529] Call Trace: +[ 256.463015] +[ 256.465157] ? ice_xmit_zc+0x6e/0x150 [ice] +[ 256.469437] ice_napi_poll+0x46d/0x680 [ice] +[ 256.473815] ? _raw_spin_unlock_irqrestore+0x1b/0x40 +[ 256.478863] __napi_poll+0x29/0x160 +[ 256.482409] net_rx_action+0x136/0x260 +[ 256.486222] __do_softirq+0xe8/0x2e5 +[ 256.489853] ? smpboot_thread_fn+0x2c/0x270 +[ 256.494108] run_ksoftirqd+0x2a/0x50 +[ 256.497747] smpboot_thread_fn+0x1c1/0x270 +[ 256.501907] ? __pfx_smpboot_thread_fn+0x10/0x10 +[ 256.506594] kthread+0xea/0x120 +[ 256.509785] ? __pfx_kthread+0x10/0x10 +[ 256.513597] ret_from_fork+0x29/0x50 +[ 256.517238] + +In fact, irqs were not disabled and napi managed to be scheduled and run +while xsk_pool pointer was still valid, but SW ring of xdp_buff pointers +was already freed. + +To fix this, call ice_qvec_dis_irq() after ice_vsi_stop_tx_ring(). Also +while at it, remove redundant ice_clean_rx_ring() call - this is handled +in ice_qp_clean_rings(). + +Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") +Signed-off-by: Maciej Fijalkowski +Reviewed-by: Larysa Zaremba +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Acked-by: John Fastabend +Signed-off-by: Tony Nguyen +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index 59963b901be0f..e0790df700e2c 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -169,8 +169,6 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx) + } + netif_tx_stop_queue(netdev_get_tx_queue(vsi->netdev, q_idx)); + +- ice_qvec_dis_irq(vsi, rx_ring, q_vector); +- + ice_fill_txq_meta(vsi, tx_ring, &txq_meta); + err = ice_vsi_stop_tx_ring(vsi, ICE_NO_RESET, 0, tx_ring, &txq_meta); + if (err) +@@ -185,6 +183,8 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx) + if (err) + return err; + } ++ ice_qvec_dis_irq(vsi, rx_ring, q_vector); ++ + err = ice_vsi_ctrl_one_rx_ring(vsi, false, q_idx, true); + if (err) + return err; +-- +2.39.2 + diff --git a/queue-5.10/ipv4-fix-incorrect-table-id-in-ioctl-path.patch b/queue-5.10/ipv4-fix-incorrect-table-id-in-ioctl-path.patch new file mode 100644 index 00000000000..f7a95fd1bff --- /dev/null +++ b/queue-5.10/ipv4-fix-incorrect-table-id-in-ioctl-path.patch @@ -0,0 +1,74 @@ +From 4e6f6ba3498b6fc1e1133838630c8f73ece78b95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:40:09 +0200 +Subject: ipv4: Fix incorrect table ID in IOCTL path + +From: Ido Schimmel + +[ Upstream commit 8a2618e14f81604a9b6ad305d57e0c8da939cd65 ] + +Commit f96a3d74554d ("ipv4: Fix incorrect route flushing when source +address is deleted") started to take the table ID field in the FIB info +structure into account when determining if two structures are identical +or not. This field is initialized using the 'fc_table' field in the +route configuration structure, which is not set when adding a route via +IOCTL. + +The above can result in user space being able to install two identical +routes that only differ in the table ID field of their associated FIB +info. + +Fix by initializing the table ID field in the route configuration +structure in the IOCTL path. + +Before the fix: + + # ip route add default via 192.0.2.2 + # route add default gw 192.0.2.2 + # ip -4 r show default + # default via 192.0.2.2 dev dummy10 + # default via 192.0.2.2 dev dummy10 + +After the fix: + + # ip route add default via 192.0.2.2 + # route add default gw 192.0.2.2 + SIOCADDRT: File exists + # ip -4 r show default + default via 192.0.2.2 dev dummy10 + +Audited the code paths to ensure there are no other paths that do not +properly initialize the route configuration structure when installing a +route. + +Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") +Fixes: f96a3d74554d ("ipv4: Fix incorrect route flushing when source address is deleted") +Reported-by: gaoxingwang +Link: https://lore.kernel.org/netdev/20230314144159.2354729-1-gaoxingwang1@huawei.com/ +Tested-by: gaoxingwang +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230315124009.4015212-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_frontend.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 5f786ef662ead..41f890bf9d4c4 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -573,6 +573,9 @@ static int rtentry_to_fib_config(struct net *net, int cmd, struct rtentry *rt, + cfg->fc_scope = RT_SCOPE_UNIVERSE; + } + ++ if (!cfg->fc_table) ++ cfg->fc_table = RT_TABLE_MAIN; ++ + if (cmd == SIOCDELRT) + return 0; + +-- +2.39.2 + diff --git a/queue-5.10/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch b/queue-5.10/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch new file mode 100644 index 00000000000..3b4707a31bb --- /dev/null +++ b/queue-5.10/ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch @@ -0,0 +1,49 @@ +From 08be032d5f9f4f3acc3283996ae864b02ec2947d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 10:03:36 +0800 +Subject: ipvlan: Make skb->skb_iif track skb->dev for l3s mode + +From: Jianguo Wu + +[ Upstream commit 59a0b022aa249e3f5735d93de0849341722c4754 ] + +For l3s mode, skb->dev is set to ipvlan interface in ipvlan_nf_input(): + skb->dev = addr->master->dev +but, skb->skb_iif remain unchanged, this will cause socket lookup failed +if a target socket is bound to a interface, like the following example: + + ip link add ipvlan0 link eth0 type ipvlan mode l3s + ip addr add dev ipvlan0 192.168.124.111/24 + ip link set ipvlan0 up + + ping -c 1 -I ipvlan0 8.8.8.8 + 100% packet loss + +This is because there is no match sk in __raw_v4_lookup() as sk->sk_bound_dev_if != dif(skb->skb_iif). +Fix this by make skb->skb_iif track skb->dev in ipvlan_nf_input(). + +Fixes: c675e06a98a4 ("ipvlan: decouple l3s mode dependencies from other modes") +Signed-off-by: Jianguo Wu +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/29865b1f-6db7-c07a-de89-949d3721ea30@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_l3s.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ipvlan/ipvlan_l3s.c b/drivers/net/ipvlan/ipvlan_l3s.c +index 943d26cbf39f5..71712ea25403d 100644 +--- a/drivers/net/ipvlan/ipvlan_l3s.c ++++ b/drivers/net/ipvlan/ipvlan_l3s.c +@@ -101,6 +101,7 @@ static unsigned int ipvlan_nf_input(void *priv, struct sk_buff *skb, + goto out; + + skb->dev = addr->master->dev; ++ skb->skb_iif = skb->dev->ifindex; + len = skb->len + ETH_HLEN; + ipvlan_count_rx(addr->master, len, true, false); + out: +-- +2.39.2 + diff --git a/queue-5.10/net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch b/queue-5.10/net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch new file mode 100644 index 00000000000..1b96dc64178 --- /dev/null +++ b/queue-5.10/net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch @@ -0,0 +1,110 @@ +From 6493b9d3e2e6a10b941ef012752f5e1d6d7b587d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 20:24:05 +0200 +Subject: net: dsa: mv88e6xxx: fix max_mtu of 1492 on 6165, 6191, 6220, 6250, + 6290 + +From: Vladimir Oltean + +[ Upstream commit 7e9517375a14f44ee830ca1c3278076dd65fcc8f ] + +There are 3 classes of switch families that the driver is aware of, as +far as mv88e6xxx_change_mtu() is concerned: + +- MTU configuration is available per port. Here, the + chip->info->ops->port_set_jumbo_size() method will be present. + +- MTU configuration is global to the switch. Here, the + chip->info->ops->set_max_frame_size() method will be present. + +- We don't know how to change the MTU. Here, none of the above methods + will be present. + +Switch families MV88E6165, MV88E6191, MV88E6220, MV88E6250 and MV88E6290 +fall in category 3. + +The blamed commit has adjusted the MTU for all 3 categories by EDSA_HLEN +(8 bytes), resulting in a new maximum MTU of 1492 being reported by the +driver for these switches. + +I don't have the hardware to test, but I do have a MV88E6390 switch on +which I can simulate this by commenting out its .port_set_jumbo_size +definition from mv88e6390_ops. The result is this set of messages at +probe time: + +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 1 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 2 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 3 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 4 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 5 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 6 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 7 +mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 8 + +It is highly implausible that there exist Ethernet switches which don't +support the standard MTU of 1500 octets, and this is what the DSA +framework says as well - the error comes from dsa_slave_create() -> +dsa_slave_change_mtu(slave_dev, ETH_DATA_LEN). + +But the error messages are alarming, and it would be good to suppress +them. + +As a consequence of this unlikeliness, we reimplement mv88e6xxx_get_max_mtu() +and mv88e6xxx_change_mtu() on switches from the 3rd category as follows: +the maximum supported MTU is 1500, and any request to set the MTU to a +value larger than that fails in dev_validate_mtu(). + +Fixes: b9c587fed61c ("dsa: mv88e6xxx: Include tagger overhead when setting MTU for DSA and CPU ports") +Signed-off-by: Vladimir Oltean +Reviewed-by: Simon Horman +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 371b345635e62..a253476a52b01 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -2734,7 +2734,7 @@ static int mv88e6xxx_get_max_mtu(struct dsa_switch *ds, int port) + return 10240 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN; + else if (chip->info->ops->set_max_frame_size) + return 1632 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN; +- return 1522 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN; ++ return ETH_DATA_LEN; + } + + static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu) +@@ -2742,6 +2742,17 @@ static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu) + struct mv88e6xxx_chip *chip = ds->priv; + int ret = 0; + ++ /* For families where we don't know how to alter the MTU, ++ * just accept any value up to ETH_DATA_LEN ++ */ ++ if (!chip->info->ops->port_set_jumbo_size && ++ !chip->info->ops->set_max_frame_size) { ++ if (new_mtu > ETH_DATA_LEN) ++ return -EINVAL; ++ ++ return 0; ++ } ++ + if (dsa_is_dsa_port(ds, port) || dsa_is_cpu_port(ds, port)) + new_mtu += EDSA_HLEN; + +@@ -2750,9 +2761,6 @@ static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu) + ret = chip->info->ops->port_set_jumbo_size(chip, port, new_mtu); + else if (chip->info->ops->set_max_frame_size) + ret = chip->info->ops->set_max_frame_size(chip, new_mtu); +- else +- if (new_mtu > 1522) +- ret = -EINVAL; + mv88e6xxx_reg_unlock(chip); + + return ret; +-- +2.39.2 + diff --git a/queue-5.10/net-iucv-fix-size-of-interrupt-data.patch b/queue-5.10/net-iucv-fix-size-of-interrupt-data.patch new file mode 100644 index 00000000000..55123a47db8 --- /dev/null +++ b/queue-5.10/net-iucv-fix-size-of-interrupt-data.patch @@ -0,0 +1,105 @@ +From fc7e5c437a632d83a88b409c7e88b730c6f4692c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 14:14:35 +0100 +Subject: net/iucv: Fix size of interrupt data + +From: Alexandra Winter + +[ Upstream commit 3d87debb8ed2649608ff432699e7c961c0c6f03b ] + +iucv_irq_data needs to be 4 bytes larger. +These bytes are not used by the iucv module, but written by +the z/VM hypervisor in case a CPU is deconfigured. + +Reported as: +BUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten +----------------------------------------------------------------------------- +0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc +Allocated in iucv_cpu_prepare+0x44/0xd0 age=167839 cpu=2 pid=1 +__kmem_cache_alloc_node+0x166/0x450 +kmalloc_node_trace+0x3a/0x70 +iucv_cpu_prepare+0x44/0xd0 +cpuhp_invoke_callback+0x156/0x2f0 +cpuhp_issue_call+0xf0/0x298 +__cpuhp_setup_state_cpuslocked+0x136/0x338 +__cpuhp_setup_state+0xf4/0x288 +iucv_init+0xf4/0x280 +do_one_initcall+0x78/0x390 +do_initcalls+0x11a/0x140 +kernel_init_freeable+0x25e/0x2a0 +kernel_init+0x2e/0x170 +__ret_from_fork+0x3c/0x58 +ret_from_fork+0xa/0x40 +Freed in iucv_init+0x92/0x280 age=167839 cpu=2 pid=1 +__kmem_cache_free+0x308/0x358 +iucv_init+0x92/0x280 +do_one_initcall+0x78/0x390 +do_initcalls+0x11a/0x140 +kernel_init_freeable+0x25e/0x2a0 +kernel_init+0x2e/0x170 +__ret_from_fork+0x3c/0x58 +ret_from_fork+0xa/0x40 +Slab 0x0000037200010000 objects=32 used=30 fp=0x0000000000400640 flags=0x1ffff00000010200(slab|head|node=0|zone=0| +Object 0x0000000000400540 @offset=1344 fp=0x0000000000000000 +Redzone 0000000000400500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Object 0000000000400540: 00 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object 0000000000400550: f3 86 81 f2 f4 82 f8 82 f0 f0 f0 f0 f0 f0 f0 f2 ................ +Object 0000000000400560: 00 00 00 00 80 00 00 00 cc cc cc cc cc cc cc cc ................ +Object 0000000000400570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ +Redzone 0000000000400580: cc cc cc cc cc cc cc cc ........ +Padding 00000000004005d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ +Padding 00000000004005e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ +Padding 00000000004005f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ +CPU: 6 PID: 121030 Comm: 116-pai-crypto. Not tainted 6.3.0-20230221.rc0.git4.99b8246b2d71.300.fc37.s390x+debug #1 +Hardware name: IBM 3931 A01 704 (z/VM 7.3.0) +Call Trace: +[<000000032aa034ec>] dump_stack_lvl+0xac/0x100 +[<0000000329f5a6cc>] check_bytes_and_report+0x104/0x140 +[<0000000329f5aa78>] check_object+0x370/0x3c0 +[<0000000329f5ede6>] free_debug_processing+0x15e/0x348 +[<0000000329f5f06a>] free_to_partial_list+0x9a/0x2f0 +[<0000000329f5f4a4>] __slab_free+0x1e4/0x3a8 +[<0000000329f61768>] __kmem_cache_free+0x308/0x358 +[<000000032a91465c>] iucv_cpu_dead+0x6c/0x88 +[<0000000329c2fc66>] cpuhp_invoke_callback+0x156/0x2f0 +[<000000032aa062da>] _cpu_down.constprop.0+0x22a/0x5e0 +[<0000000329c3243e>] cpu_device_down+0x4e/0x78 +[<000000032a61dee0>] device_offline+0xc8/0x118 +[<000000032a61e048>] online_store+0x60/0xe0 +[<000000032a08b6b0>] kernfs_fop_write_iter+0x150/0x1e8 +[<0000000329fab65c>] vfs_write+0x174/0x360 +[<0000000329fab9fc>] ksys_write+0x74/0x100 +[<000000032aa03a5a>] __do_syscall+0x1da/0x208 +[<000000032aa177b2>] system_call+0x82/0xb0 +INFO: lockdep is turned off. +FIX dma-kmalloc-64: Restoring kmalloc Redzone 0x0000000000400564-0x0000000000400567=0xcc +FIX dma-kmalloc-64: Object at 0x0000000000400540 not freed + +Fixes: 2356f4cb1911 ("[S390]: Rewrite of the IUCV base code, part 2") +Signed-off-by: Alexandra Winter +Link: https://lore.kernel.org/r/20230315131435.4113889-1-wintera@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/iucv/iucv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index 349c6ac3313f7..6f84978a77265 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -83,7 +83,7 @@ struct iucv_irq_data { + u16 ippathid; + u8 ipflags1; + u8 iptype; +- u32 res2[8]; ++ u32 res2[9]; + }; + + struct iucv_irq_list { +-- +2.39.2 + diff --git a/queue-5.10/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch b/queue-5.10/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch new file mode 100644 index 00000000000..8a362e9d087 --- /dev/null +++ b/queue-5.10/net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch @@ -0,0 +1,44 @@ +From d891caed8d41c3266976b1d0798eef8d80dbef91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Mar 2023 19:34:45 +0100 +Subject: net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status + fails + +From: Heiner Kallweit + +[ Upstream commit c22c3bbf351e4ce905f082649cffa1ff893ea8c1 ] + +If genphy_read_status fails then further access to the PHY may result +in unpredictable behavior. To prevent this bail out immediately if +genphy_read_status fails. + +Fixes: 4223dbffed9f ("net: phy: smsc: Re-enable EDPD mode for LAN87xx") +Signed-off-by: Heiner Kallweit +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/026aa4f2-36f5-1c10-ab9f-cdb17dda6ac4@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index caf7291ffaf83..b67de3f9ef186 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -181,8 +181,11 @@ static int lan95xx_config_aneg_ext(struct phy_device *phydev) + static int lan87xx_read_status(struct phy_device *phydev) + { + struct smsc_phy_priv *priv = phydev->priv; ++ int err; + +- int err = genphy_read_status(phydev); ++ err = genphy_read_status(phydev); ++ if (err) ++ return err; + + if (!phydev->link && priv->energy_enable) { + /* Disable EDPD to wake up PHY */ +-- +2.39.2 + diff --git a/queue-5.10/net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch b/queue-5.10/net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch new file mode 100644 index 00000000000..89888ed44bb --- /dev/null +++ b/queue-5.10/net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch @@ -0,0 +1,164 @@ +From 6226c4193c5cdbb175cb3a8138c0d8b31487b90f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 11:08:28 +0100 +Subject: net/smc: fix deadlock triggered by cancel_delayed_work_syn() + +From: Wenjia Zhang + +[ Upstream commit 13085e1b5cab8ad802904d72e6a6dae85ae0cd20 ] + +The following LOCKDEP was detected: + Workqueue: events smc_lgr_free_work [smc] + WARNING: possible circular locking dependency detected + 6.1.0-20221027.rc2.git8.56bc5b569087.300.fc36.s390x+debug #1 Not tainted + ------------------------------------------------------ + kworker/3:0/176251 is trying to acquire lock: + 00000000f1467148 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0}, + at: __flush_workqueue+0x7a/0x4f0 + but task is already holding lock: + 0000037fffe97dc8 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0}, + at: process_one_work+0x232/0x730 + which lock already depends on the new lock. + the existing dependency chain (in reverse order) is: + -> #4 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0}: + __lock_acquire+0x58e/0xbd8 + lock_acquire.part.0+0xe2/0x248 + lock_acquire+0xac/0x1c8 + __flush_work+0x76/0xf0 + __cancel_work_timer+0x170/0x220 + __smc_lgr_terminate.part.0+0x34/0x1c0 [smc] + smc_connect_rdma+0x15e/0x418 [smc] + __smc_connect+0x234/0x480 [smc] + smc_connect+0x1d6/0x230 [smc] + __sys_connect+0x90/0xc0 + __do_sys_socketcall+0x186/0x370 + __do_syscall+0x1da/0x208 + system_call+0x82/0xb0 + -> #3 (smc_client_lgr_pending){+.+.}-{3:3}: + __lock_acquire+0x58e/0xbd8 + lock_acquire.part.0+0xe2/0x248 + lock_acquire+0xac/0x1c8 + __mutex_lock+0x96/0x8e8 + mutex_lock_nested+0x32/0x40 + smc_connect_rdma+0xa4/0x418 [smc] + __smc_connect+0x234/0x480 [smc] + smc_connect+0x1d6/0x230 [smc] + __sys_connect+0x90/0xc0 + __do_sys_socketcall+0x186/0x370 + __do_syscall+0x1da/0x208 + system_call+0x82/0xb0 + -> #2 (sk_lock-AF_SMC){+.+.}-{0:0}: + __lock_acquire+0x58e/0xbd8 + lock_acquire.part.0+0xe2/0x248 + lock_acquire+0xac/0x1c8 + lock_sock_nested+0x46/0xa8 + smc_tx_work+0x34/0x50 [smc] + process_one_work+0x30c/0x730 + worker_thread+0x62/0x420 + kthread+0x138/0x150 + __ret_from_fork+0x3c/0x58 + ret_from_fork+0xa/0x40 + -> #1 ((work_completion)(&(&smc->conn.tx_work)->work)){+.+.}-{0:0}: + __lock_acquire+0x58e/0xbd8 + lock_acquire.part.0+0xe2/0x248 + lock_acquire+0xac/0x1c8 + process_one_work+0x2bc/0x730 + worker_thread+0x62/0x420 + kthread+0x138/0x150 + __ret_from_fork+0x3c/0x58 + ret_from_fork+0xa/0x40 + -> #0 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0}: + check_prev_add+0xd8/0xe88 + validate_chain+0x70c/0xb20 + __lock_acquire+0x58e/0xbd8 + lock_acquire.part.0+0xe2/0x248 + lock_acquire+0xac/0x1c8 + __flush_workqueue+0xaa/0x4f0 + drain_workqueue+0xaa/0x158 + destroy_workqueue+0x44/0x2d8 + smc_lgr_free+0x9e/0xf8 [smc] + process_one_work+0x30c/0x730 + worker_thread+0x62/0x420 + kthread+0x138/0x150 + __ret_from_fork+0x3c/0x58 + ret_from_fork+0xa/0x40 + other info that might help us debug this: + Chain exists of: + (wq_completion)smc_tx_wq-00000000#2 + --> smc_client_lgr_pending + --> (work_completion)(&(&lgr->free_work)->work) + Possible unsafe locking scenario: + CPU0 CPU1 + ---- ---- + lock((work_completion)(&(&lgr->free_work)->work)); + lock(smc_client_lgr_pending); + lock((work_completion) + (&(&lgr->free_work)->work)); + lock((wq_completion)smc_tx_wq-00000000#2); + *** DEADLOCK *** + 2 locks held by kworker/3:0/176251: + #0: 0000000080183548 + ((wq_completion)events){+.+.}-{0:0}, + at: process_one_work+0x232/0x730 + #1: 0000037fffe97dc8 + ((work_completion) + (&(&lgr->free_work)->work)){+.+.}-{0:0}, + at: process_one_work+0x232/0x730 + stack backtrace: + CPU: 3 PID: 176251 Comm: kworker/3:0 Not tainted + Hardware name: IBM 8561 T01 701 (z/VM 7.2.0) + Call Trace: + [<000000002983c3e4>] dump_stack_lvl+0xac/0x100 + [<0000000028b477ae>] check_noncircular+0x13e/0x160 + [<0000000028b48808>] check_prev_add+0xd8/0xe88 + [<0000000028b49cc4>] validate_chain+0x70c/0xb20 + [<0000000028b4bd26>] __lock_acquire+0x58e/0xbd8 + [<0000000028b4cf6a>] lock_acquire.part.0+0xe2/0x248 + [<0000000028b4d17c>] lock_acquire+0xac/0x1c8 + [<0000000028addaaa>] __flush_workqueue+0xaa/0x4f0 + [<0000000028addf9a>] drain_workqueue+0xaa/0x158 + [<0000000028ae303c>] destroy_workqueue+0x44/0x2d8 + [<000003ff8029af26>] smc_lgr_free+0x9e/0xf8 [smc] + [<0000000028adf3d4>] process_one_work+0x30c/0x730 + [<0000000028adf85a>] worker_thread+0x62/0x420 + [<0000000028aeac50>] kthread+0x138/0x150 + [<0000000028a63914>] __ret_from_fork+0x3c/0x58 + [<00000000298503da>] ret_from_fork+0xa/0x40 + INFO: lockdep is turned off. +=================================================================== + +This deadlock occurs because cancel_delayed_work_sync() waits for +the work(&lgr->free_work) to finish, while the &lgr->free_work +waits for the work(lgr->tx_wq), which needs the sk_lock-AF_SMC, that +is already used under the mutex_lock. + +The solution is to use cancel_delayed_work() instead, which kills +off a pending work. + +Fixes: a52bcc919b14 ("net/smc: improve termination processing") +Signed-off-by: Wenjia Zhang +Reviewed-by: Jan Karcher +Reviewed-by: Karsten Graul +Reviewed-by: Tony Lu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c +index bf485a2017a4e..e84241ff4ac4f 100644 +--- a/net/smc/smc_core.c ++++ b/net/smc/smc_core.c +@@ -912,7 +912,7 @@ static void __smc_lgr_terminate(struct smc_link_group *lgr, bool soft) + if (lgr->terminating) + return; /* lgr already terminating */ + /* cancel free_work sync, will terminate when lgr->freeing is set */ +- cancel_delayed_work_sync(&lgr->free_work); ++ cancel_delayed_work(&lgr->free_work); + lgr->terminating = 1; + + /* kill remaining link group connections */ +-- +2.39.2 + diff --git a/queue-5.10/net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch b/queue-5.10/net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch new file mode 100644 index 00000000000..c60896727fb --- /dev/null +++ b/queue-5.10/net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch @@ -0,0 +1,68 @@ +From eabd8ae3360dd091de3c179ba1bd41433f9519a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 16:17:12 +0800 +Subject: net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler() + +From: D. Wythe + +[ Upstream commit 22a825c541d775c1dbe7b2402786025acad6727b ] + +When performing a stress test on SMC-R by rmmod mlx5_ib driver +during the wrk/nginx test, we found that there is a probability +of triggering a panic while terminating all link groups. + +This issue dues to the race between smc_smcr_terminate_all() +and smc_buf_create(). + + smc_smcr_terminate_all + +smc_buf_create +/* init */ +conn->sndbuf_desc = NULL; +... + + __smc_lgr_terminate + smc_conn_kill + smc_close_abort + smc_cdc_get_slot_and_msg_send + + __softirqentry_text_start + smc_wr_tx_process_cqe + smc_cdc_tx_handler + READ(conn->sndbuf_desc->len); + /* panic dues to NULL sndbuf_desc */ + +conn->sndbuf_desc = xxx; + +This patch tries to fix the issue by always to check the sndbuf_desc +before send any cdc msg, to make sure that no null pointer is +seen during cqe processing. + +Fixes: 0b29ec643613 ("net/smc: immediate termination for SMCR link groups") +Signed-off-by: D. Wythe +Reviewed-by: Tony Lu +Reviewed-by: Wenjia Zhang +Link: https://lore.kernel.org/r/1678263432-17329-1-git-send-email-alibuda@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_cdc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c +index 94503f36b9a61..9125d28d9ff5d 100644 +--- a/net/smc/smc_cdc.c ++++ b/net/smc/smc_cdc.c +@@ -104,6 +104,9 @@ int smc_cdc_msg_send(struct smc_connection *conn, + union smc_host_cursor cfed; + int rc; + ++ if (unlikely(!READ_ONCE(conn->sndbuf_desc))) ++ return -ENOBUFS; ++ + smc_cdc_add_pending_send(conn, pend); + + conn->tx_cdc_seq++; +-- +2.39.2 + diff --git a/queue-5.10/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch b/queue-5.10/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch new file mode 100644 index 00000000000..f1dbd762758 --- /dev/null +++ b/queue-5.10/net-tunnels-annotate-lockless-accesses-to-dev-needed.patch @@ -0,0 +1,252 @@ +From bfabaf9785f04f7c546e3cd6f81ce39aa6986463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 19:11:09 +0000 +Subject: net: tunnels: annotate lockless accesses to dev->needed_headroom + +From: Eric Dumazet + +[ Upstream commit 4b397c06cb987935b1b097336532aa6b4210e091 ] + +IP tunnels can apparently update dev->needed_headroom +in their xmit path. + +This patch takes care of three tunnels xmit, and also the +core LL_RESERVED_SPACE() and LL_RESERVED_SPACE_EXTRA() +helpers. + +More changes might be needed for completeness. + +BUG: KCSAN: data-race in ip_tunnel_xmit / ip_tunnel_xmit + +read to 0xffff88815b9da0ec of 2 bytes by task 888 on cpu 1: +ip_tunnel_xmit+0x1270/0x1730 net/ipv4/ip_tunnel.c:803 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430 +dst_output include/net/dst.h:444 [inline] +ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126 +iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82 +ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 + +write to 0xffff88815b9da0ec of 2 bytes by task 2379 on cpu 0: +ip_tunnel_xmit+0x1294/0x1730 net/ipv4/ip_tunnel.c:804 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661 +__netdev_start_xmit include/linux/netdevice.h:4881 [inline] +netdev_start_xmit include/linux/netdevice.h:4895 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596 +__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3051 [inline] +neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623 +neigh_output include/net/neighbour.h:546 [inline] +ip6_finish_output2+0x9bc/0xc50 net/ipv6/ip6_output.c:134 +__ip6_finish_output net/ipv6/ip6_output.c:195 [inline] +ip6_finish_output+0x39a/0x4e0 net/ipv6/ip6_output.c:206 +NF_HOOK_COND include/linux/netfilter.h:291 [inline] +ip6_output+0xeb/0x220 net/ipv6/ip6_output.c:227 +dst_output include/net/dst.h:444 [inline] +NF_HOOK include/linux/netfilter.h:302 [inline] +mld_sendpack+0x438/0x6a0 net/ipv6/mcast.c:1820 +mld_send_cr net/ipv6/mcast.c:2121 [inline] +mld_ifc_work+0x519/0x7b0 net/ipv6/mcast.c:2653 +process_one_work+0x3e6/0x750 kernel/workqueue.c:2390 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2537 +kthread+0x1ac/0x1e0 kernel/kthread.c:376 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x0dd4 -> 0x0e14 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 2379 Comm: kworker/0:0 Not tainted 6.3.0-rc1-syzkaller-00002-g8ca09d5fa354-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 +Workqueue: mld mld_ifc_work + +Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230310191109.2384387-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 6 ++++-- + net/ipv4/ip_tunnel.c | 12 ++++++------ + net/ipv6/ip6_tunnel.c | 4 ++-- + 3 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index b478a16ef284d..9ef63bc14b002 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -270,9 +270,11 @@ struct hh_cache { + * relationship HH alignment <= LL alignment. + */ + #define LL_RESERVED_SPACE(dev) \ +- ((((dev)->hard_header_len+(dev)->needed_headroom)&~(HH_DATA_MOD - 1)) + HH_DATA_MOD) ++ ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom)) \ ++ & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD) + #define LL_RESERVED_SPACE_EXTRA(dev,extra) \ +- ((((dev)->hard_header_len+(dev)->needed_headroom+(extra))&~(HH_DATA_MOD - 1)) + HH_DATA_MOD) ++ ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom) + (extra)) \ ++ & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD) + + struct header_ops { + int (*create) (struct sk_buff *skb, struct net_device *dev, +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index be75b409445c2..99f70b990eb13 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -613,10 +613,10 @@ void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + } + + headroom += LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len; +- if (headroom > dev->needed_headroom) +- dev->needed_headroom = headroom; ++ if (headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, headroom); + +- if (skb_cow_head(skb, dev->needed_headroom)) { ++ if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) { + ip_rt_put(rt); + goto tx_dropped; + } +@@ -797,10 +797,10 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + + max_headroom = LL_RESERVED_SPACE(rt->dst.dev) + sizeof(struct iphdr) + + rt->dst.header_len + ip_encap_hlen(&tunnel->encap); +- if (max_headroom > dev->needed_headroom) +- dev->needed_headroom = max_headroom; ++ if (max_headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, max_headroom); + +- if (skb_cow_head(skb, dev->needed_headroom)) { ++ if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) { + ip_rt_put(rt); + dev->stats.tx_dropped++; + kfree_skb(skb); +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 0d4cab94c5dd2..a03a322e0cc1c 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1267,8 +1267,8 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield, + */ + max_headroom = LL_RESERVED_SPACE(dst->dev) + sizeof(struct ipv6hdr) + + dst->header_len + t->hlen; +- if (max_headroom > dev->needed_headroom) +- dev->needed_headroom = max_headroom; ++ if (max_headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, max_headroom); + + err = ip6_tnl_encap(skb, t, &proto, fl6); + if (err) +-- +2.39.2 + diff --git a/queue-5.10/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch b/queue-5.10/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch new file mode 100644 index 00000000000..d34fb7f0a60 --- /dev/null +++ b/queue-5.10/net-usb-smsc75xx-limit-packet-length-to-skb-len.patch @@ -0,0 +1,39 @@ +From bf33545d1cc7d7fdc79a1e052730e1ecca6ec5b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 23:00:45 +0100 +Subject: net: usb: smsc75xx: Limit packet length to skb->len + +From: Szymon Heidrich + +[ Upstream commit d8b228318935044dafe3a5bc07ee71a1f1424b8d ] + +Packet length retrieved from skb data may be larger than +the actual socket buffer length (up to 9026 bytes). In such +case the cloned skb passed up the network stack will leak +kernel memory contents. + +Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") +Signed-off-by: Szymon Heidrich +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 378a12ae2d957..0b3d11e28faa7 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -2211,7 +2211,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + dev->net->stats.rx_frame_errors++; + } else { + /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ +- if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { ++ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || ++ size > skb->len)) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=0x%08x\n", + rx_cmd_a); +-- +2.39.2 + diff --git a/queue-5.10/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch b/queue-5.10/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch new file mode 100644 index 00000000000..cd344de825f --- /dev/null +++ b/queue-5.10/net-usb-smsc75xx-move-packet-length-check-to-prevent.patch @@ -0,0 +1,54 @@ +From bbfdde0e2544900f139cdac193c8ae08a0f029c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 12:05:40 +0100 +Subject: net: usb: smsc75xx: Move packet length check to prevent kernel panic + in skb_pull + +From: Szymon Heidrich + +[ Upstream commit 43ffe6caccc7a1bb9d7442fbab521efbf6c1378c ] + +Packet length check needs to be located after size and align_count +calculation to prevent kernel panic in skb_pull() in case +rx_cmd_a & RX_CMD_A_RED evaluates to true. + +Fixes: d8b228318935 ("net: usb: smsc75xx: Limit packet length to skb->len") +Signed-off-by: Szymon Heidrich +Link: https://lore.kernel.org/r/20230316110540.77531-1-szymon.heidrich@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 0b3d11e28faa7..fb1389bd09392 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -2199,6 +2199,13 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + size = (rx_cmd_a & RX_CMD_A_LEN) - RXW_PADDING; + align_count = (4 - ((size + RXW_PADDING) % 4)) % 4; + ++ if (unlikely(size > skb->len)) { ++ netif_dbg(dev, rx_err, dev->net, ++ "size err rx_cmd_a=0x%08x\n", ++ rx_cmd_a); ++ return 0; ++ } ++ + if (unlikely(rx_cmd_a & RX_CMD_A_RED)) { + netif_dbg(dev, rx_err, dev->net, + "Error rx_cmd_a=0x%08x\n", rx_cmd_a); +@@ -2211,8 +2218,7 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + dev->net->stats.rx_frame_errors++; + } else { + /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ +- if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || +- size > skb->len)) { ++ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=0x%08x\n", + rx_cmd_a); +-- +2.39.2 + diff --git a/queue-5.10/netfilter-nft_masq-correct-length-for-loading-protoc.patch b/queue-5.10/netfilter-nft_masq-correct-length-for-loading-protoc.patch new file mode 100644 index 00000000000..5fec6298866 --- /dev/null +++ b/queue-5.10/netfilter-nft_masq-correct-length-for-loading-protoc.patch @@ -0,0 +1,39 @@ +From 6960895bea1dfdbd36dabb68ddbb987bd221871f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 23:22:57 +0000 +Subject: netfilter: nft_masq: correct length for loading protocol registers + +From: Jeremy Sowden + +[ Upstream commit ec2c5917eb858428b2083d1c74f445aabbe8316b ] + +The values in the protocol registers are two bytes wide. However, when +parsing the register loads, the code currently uses the larger 16-byte +size of a `union nf_inet_addr`. Change it to use the (correct) size of +a `union nf_conntrack_man_proto` instead. + +Fixes: 8a6bf5da1aef ("netfilter: nft_masq: support port range") +Signed-off-by: Jeremy Sowden +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_masq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c +index 9953e80537536..1818dbf089cad 100644 +--- a/net/netfilter/nft_masq.c ++++ b/net/netfilter/nft_masq.c +@@ -43,7 +43,7 @@ static int nft_masq_init(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nlattr * const tb[]) + { +- u32 plen = sizeof_field(struct nf_nat_range, min_addr.all); ++ u32 plen = sizeof_field(struct nf_nat_range, min_proto.all); + struct nft_masq *priv = nft_expr_priv(expr); + int err; + +-- +2.39.2 + diff --git a/queue-5.10/netfilter-nft_nat-correct-length-for-loading-protoco.patch b/queue-5.10/netfilter-nft_nat-correct-length-for-loading-protoco.patch new file mode 100644 index 00000000000..2601662dbdb --- /dev/null +++ b/queue-5.10/netfilter-nft_nat-correct-length-for-loading-protoco.patch @@ -0,0 +1,39 @@ +From af445a31aa8337be9fa94a0802cc27340d3dea03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 23:22:56 +0000 +Subject: netfilter: nft_nat: correct length for loading protocol registers + +From: Jeremy Sowden + +[ Upstream commit 068d82e75d537b444303b8c449a11e51ea659565 ] + +The values in the protocol registers are two bytes wide. However, when +parsing the register loads, the code currently uses the larger 16-byte +size of a `union nf_inet_addr`. Change it to use the (correct) size of +a `union nf_conntrack_man_proto` instead. + +Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()") +Signed-off-by: Jeremy Sowden +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_nat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c +index db8f9116eeb43..cd4eb4996aff3 100644 +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -226,7 +226,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + priv->flags |= NF_NAT_RANGE_MAP_IPS; + } + +- plen = sizeof_field(struct nf_nat_range, min_addr.all); ++ plen = sizeof_field(struct nf_nat_range, min_proto.all); + if (tb[NFTA_NAT_REG_PROTO_MIN]) { + err = nft_parse_register_load(tb[NFTA_NAT_REG_PROTO_MIN], + &priv->sreg_proto_min, plen); +-- +2.39.2 + diff --git a/queue-5.10/netfilter-nft_redir-correct-length-for-loading-proto.patch b/queue-5.10/netfilter-nft_redir-correct-length-for-loading-proto.patch new file mode 100644 index 00000000000..503c95b72d3 --- /dev/null +++ b/queue-5.10/netfilter-nft_redir-correct-length-for-loading-proto.patch @@ -0,0 +1,39 @@ +From 6cbb1240cab7dba34889baff702b9e6e249fbb80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 23:22:58 +0000 +Subject: netfilter: nft_redir: correct length for loading protocol registers + +From: Jeremy Sowden + +[ Upstream commit 1f617b6b4c7a3d5ea7a56abb83a4c27733b60c2f ] + +The values in the protocol registers are two bytes wide. However, when +parsing the register loads, the code currently uses the larger 16-byte +size of a `union nf_inet_addr`. Change it to use the (correct) size of +a `union nf_conntrack_man_proto` instead. + +Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()") +Signed-off-by: Jeremy Sowden +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_redir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c +index ba09890dddb50..deb7e65c8d82b 100644 +--- a/net/netfilter/nft_redir.c ++++ b/net/netfilter/nft_redir.c +@@ -48,7 +48,7 @@ static int nft_redir_init(const struct nft_ctx *ctx, + unsigned int plen; + int err; + +- plen = sizeof_field(struct nf_nat_range, min_addr.all); ++ plen = sizeof_field(struct nf_nat_range, min_proto.all); + if (tb[NFTA_REDIR_REG_PROTO_MIN]) { + err = nft_parse_register_load(tb[NFTA_REDIR_REG_PROTO_MIN], + &priv->sreg_proto_min, plen); +-- +2.39.2 + diff --git a/queue-5.10/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch b/queue-5.10/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch new file mode 100644 index 00000000000..f8fc41e54e5 --- /dev/null +++ b/queue-5.10/netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch @@ -0,0 +1,37 @@ +From db28ace3703fc9a929906d9979944b84f2a9652c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 23:22:59 +0000 +Subject: netfilter: nft_redir: correct value of inet type `.maxattrs` + +From: Jeremy Sowden + +[ Upstream commit 493924519b1fe3faab13ee621a43b0d0939abab1 ] + +`nft_redir_inet_type.maxattrs` was being set, presumably because of a +cut-and-paste error, to `NFTA_MASQ_MAX`, instead of `NFTA_REDIR_MAX`. + +Fixes: 63ce3940f3ab ("netfilter: nft_redir: add inet support") +Signed-off-by: Jeremy Sowden +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_redir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c +index deb7e65c8d82b..e64f531d66cfc 100644 +--- a/net/netfilter/nft_redir.c ++++ b/net/netfilter/nft_redir.c +@@ -232,7 +232,7 @@ static struct nft_expr_type nft_redir_inet_type __read_mostly = { + .name = "redir", + .ops = &nft_redir_inet_ops, + .policy = nft_redir_policy, +- .maxattr = NFTA_MASQ_MAX, ++ .maxattr = NFTA_REDIR_MAX, + .owner = THIS_MODULE, + }; + +-- +2.39.2 + diff --git a/queue-5.10/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch b/queue-5.10/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch new file mode 100644 index 00000000000..f3ebba2a35d --- /dev/null +++ b/queue-5.10/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch @@ -0,0 +1,65 @@ +From e443d9f5ca47b7802579ad63711c8812617c1f16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 19:50:50 +0300 +Subject: nfc: pn533: initialize struct pn533_out_arg properly + +From: Fedor Pchelkin + +[ Upstream commit 484b7059796e3bc1cb527caa61dfc60da649b4f6 ] + +struct pn533_out_arg used as a temporary context for out_urb is not +initialized properly. Its uninitialized 'phy' field can be dereferenced in +error cases inside pn533_out_complete() callback function. It causes the +following failure: + +general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc3-next-20230110-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +RIP: 0010:pn533_out_complete.cold+0x15/0x44 drivers/nfc/pn533/usb.c:441 +Call Trace: + + __usb_hcd_giveback_urb+0x2b6/0x5c0 drivers/usb/core/hcd.c:1671 + usb_hcd_giveback_urb+0x384/0x430 drivers/usb/core/hcd.c:1754 + dummy_timer+0x1203/0x32d0 drivers/usb/gadget/udc/dummy_hcd.c:1988 + call_timer_fn+0x1da/0x800 kernel/time/timer.c:1700 + expire_timers+0x234/0x330 kernel/time/timer.c:1751 + __run_timers kernel/time/timer.c:2022 [inline] + __run_timers kernel/time/timer.c:1995 [inline] + run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035 + __do_softirq+0x1fb/0xaf6 kernel/softirq.c:571 + invoke_softirq kernel/softirq.c:445 [inline] + __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 + irq_exit_rcu+0x9/0x20 kernel/softirq.c:662 + sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107 + +Initialize the field with the pn533_usb_phy currently used. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 9dab880d675b ("nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()") +Reported-by: syzbot+1e608ba4217c96d1952f@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230309165050.207390-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533/usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c +index 57b07446bb768..68eb1253f888f 100644 +--- a/drivers/nfc/pn533/usb.c ++++ b/drivers/nfc/pn533/usb.c +@@ -175,6 +175,7 @@ static int pn533_usb_send_frame(struct pn533 *dev, + print_hex_dump_debug("PN533 TX: ", DUMP_PREFIX_NONE, 16, 1, + out->data, out->len, false); + ++ arg.phy = phy; + init_completion(&arg.done); + cntx = phy->out_urb->context; + phy->out_urb->context = &arg; +-- +2.39.2 + diff --git a/queue-5.10/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch b/queue-5.10/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch new file mode 100644 index 00000000000..424b9f2712b --- /dev/null +++ b/queue-5.10/nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch @@ -0,0 +1,72 @@ +From 83b8cb3d9a2c0dc4d76fefd64717eff0e3a8ef85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:08:37 +0800 +Subject: nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition + +From: Zheng Wang + +[ Upstream commit 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 ] + +This bug influences both st_nci_i2c_remove and st_nci_spi_remove. +Take st_nci_i2c_remove as an example. + +In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work +with llt_ndlc_sm_work. + +When it calls ndlc_recv or timeout handler, it will finally call +schedule_work to start the work. + +When we call st_nci_i2c_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in ndlc_remove + +CPU0 CPU1 + + |llt_ndlc_sm_work +st_nci_i2c_remove | + ndlc_remove | + st_nci_remove | + nci_free_device| + kfree(ndev) | +//free ndlc->ndev | + |llt_ndlc_rcv_queue + |nci_recv_frame + |//use ndlc->ndev + +Fixes: 35630df68d60 ("NFC: st21nfcb: Add driver for STMicroelectronics ST21NFCB NFC chip") +Signed-off-by: Zheng Wang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230312160837.2040857-1-zyytlz.wz@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/ndlc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/st-nci/ndlc.c b/drivers/nfc/st-nci/ndlc.c +index 5d74c674368a5..8ccf5a86ad1bb 100644 +--- a/drivers/nfc/st-nci/ndlc.c ++++ b/drivers/nfc/st-nci/ndlc.c +@@ -286,13 +286,15 @@ EXPORT_SYMBOL(ndlc_probe); + + void ndlc_remove(struct llt_ndlc *ndlc) + { +- st_nci_remove(ndlc->ndev); +- + /* cancel timers */ + del_timer_sync(&ndlc->t1_timer); + del_timer_sync(&ndlc->t2_timer); + ndlc->t2_active = false; + ndlc->t1_active = false; ++ /* cancel work */ ++ cancel_work_sync(&ndlc->sm_work); ++ ++ st_nci_remove(ndlc->ndev); + + skb_queue_purge(&ndlc->rcv_q); + skb_queue_purge(&ndlc->send_q); +-- +2.39.2 + diff --git a/queue-5.10/null_blk-move-driver-into-its-own-directory.patch b/queue-5.10/null_blk-move-driver-into-its-own-directory.patch new file mode 100644 index 00000000000..1dd8f2c1e84 --- /dev/null +++ b/queue-5.10/null_blk-move-driver-into-its-own-directory.patch @@ -0,0 +1,168 @@ +From deb36937e982db4d5a15f19080924304b72bb742 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2020 10:55:19 +0900 +Subject: null_blk: Move driver into its own directory + +From: Damien Le Moal + +[ Upstream commit eebf34a85c8c724676eba502d15202854f199b05 ] + +Move null_blk driver code into the new sub-directory +drivers/block/null_blk. + +Suggested-by: Bart Van Assche +Signed-off-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Signed-off-by: Jens Axboe +Stable-dep-of: 63f886597085 ("block: null_blk: Fix handling of fake timeout request") +Signed-off-by: Sasha Levin +--- + drivers/block/Kconfig | 8 +------- + drivers/block/Makefile | 7 +------ + drivers/block/null_blk/Kconfig | 12 ++++++++++++ + drivers/block/null_blk/Makefile | 11 +++++++++++ + drivers/block/{null_blk_main.c => null_blk/main.c} | 0 + drivers/block/{ => null_blk}/null_blk.h | 0 + drivers/block/{null_blk_trace.c => null_blk/trace.c} | 2 +- + drivers/block/{null_blk_trace.h => null_blk/trace.h} | 2 +- + drivers/block/{null_blk_zoned.c => null_blk/zoned.c} | 2 +- + 9 files changed, 28 insertions(+), 16 deletions(-) + create mode 100644 drivers/block/null_blk/Kconfig + create mode 100644 drivers/block/null_blk/Makefile + rename drivers/block/{null_blk_main.c => null_blk/main.c} (100%) + rename drivers/block/{ => null_blk}/null_blk.h (100%) + rename drivers/block/{null_blk_trace.c => null_blk/trace.c} (93%) + rename drivers/block/{null_blk_trace.h => null_blk/trace.h} (97%) + rename drivers/block/{null_blk_zoned.c => null_blk/zoned.c} (99%) + +diff --git a/drivers/block/Kconfig b/drivers/block/Kconfig +index 40c53632512b7..9617688b58b32 100644 +--- a/drivers/block/Kconfig ++++ b/drivers/block/Kconfig +@@ -16,13 +16,7 @@ menuconfig BLK_DEV + + if BLK_DEV + +-config BLK_DEV_NULL_BLK +- tristate "Null test block driver" +- select CONFIGFS_FS +- +-config BLK_DEV_NULL_BLK_FAULT_INJECTION +- bool "Support fault injection for Null test block driver" +- depends on BLK_DEV_NULL_BLK && FAULT_INJECTION ++source "drivers/block/null_blk/Kconfig" + + config BLK_DEV_FD + tristate "Normal floppy disk support" +diff --git a/drivers/block/Makefile b/drivers/block/Makefile +index e1f63117ee94f..a3170859e01d4 100644 +--- a/drivers/block/Makefile ++++ b/drivers/block/Makefile +@@ -41,12 +41,7 @@ obj-$(CONFIG_BLK_DEV_RSXX) += rsxx/ + obj-$(CONFIG_ZRAM) += zram/ + obj-$(CONFIG_BLK_DEV_RNBD) += rnbd/ + +-obj-$(CONFIG_BLK_DEV_NULL_BLK) += null_blk.o +-null_blk-objs := null_blk_main.o +-ifeq ($(CONFIG_BLK_DEV_ZONED), y) +-null_blk-$(CONFIG_TRACING) += null_blk_trace.o +-endif +-null_blk-$(CONFIG_BLK_DEV_ZONED) += null_blk_zoned.o ++obj-$(CONFIG_BLK_DEV_NULL_BLK) += null_blk/ + + skd-y := skd_main.o + swim_mod-y := swim.o swim_asm.o +diff --git a/drivers/block/null_blk/Kconfig b/drivers/block/null_blk/Kconfig +new file mode 100644 +index 0000000000000..6bf1f8ca20a24 +--- /dev/null ++++ b/drivers/block/null_blk/Kconfig +@@ -0,0 +1,12 @@ ++# SPDX-License-Identifier: GPL-2.0 ++# ++# Null block device driver configuration ++# ++ ++config BLK_DEV_NULL_BLK ++ tristate "Null test block driver" ++ select CONFIGFS_FS ++ ++config BLK_DEV_NULL_BLK_FAULT_INJECTION ++ bool "Support fault injection for Null test block driver" ++ depends on BLK_DEV_NULL_BLK && FAULT_INJECTION +diff --git a/drivers/block/null_blk/Makefile b/drivers/block/null_blk/Makefile +new file mode 100644 +index 0000000000000..84c36e512ab89 +--- /dev/null ++++ b/drivers/block/null_blk/Makefile +@@ -0,0 +1,11 @@ ++# SPDX-License-Identifier: GPL-2.0 ++ ++# needed for trace events ++ccflags-y += -I$(src) ++ ++obj-$(CONFIG_BLK_DEV_NULL_BLK) += null_blk.o ++null_blk-objs := main.o ++ifeq ($(CONFIG_BLK_DEV_ZONED), y) ++null_blk-$(CONFIG_TRACING) += trace.o ++endif ++null_blk-$(CONFIG_BLK_DEV_ZONED) += zoned.o +diff --git a/drivers/block/null_blk_main.c b/drivers/block/null_blk/main.c +similarity index 100% +rename from drivers/block/null_blk_main.c +rename to drivers/block/null_blk/main.c +diff --git a/drivers/block/null_blk.h b/drivers/block/null_blk/null_blk.h +similarity index 100% +rename from drivers/block/null_blk.h +rename to drivers/block/null_blk/null_blk.h +diff --git a/drivers/block/null_blk_trace.c b/drivers/block/null_blk/trace.c +similarity index 93% +rename from drivers/block/null_blk_trace.c +rename to drivers/block/null_blk/trace.c +index f246e7bff6982..3711cba160715 100644 +--- a/drivers/block/null_blk_trace.c ++++ b/drivers/block/null_blk/trace.c +@@ -4,7 +4,7 @@ + * + * Copyright (C) 2020 Western Digital Corporation or its affiliates. + */ +-#include "null_blk_trace.h" ++#include "trace.h" + + /* + * Helper to use for all null_blk traces to extract disk name. +diff --git a/drivers/block/null_blk_trace.h b/drivers/block/null_blk/trace.h +similarity index 97% +rename from drivers/block/null_blk_trace.h +rename to drivers/block/null_blk/trace.h +index 4f83032eb5441..ce3b430e88c57 100644 +--- a/drivers/block/null_blk_trace.h ++++ b/drivers/block/null_blk/trace.h +@@ -73,7 +73,7 @@ TRACE_EVENT(nullb_report_zones, + #undef TRACE_INCLUDE_PATH + #define TRACE_INCLUDE_PATH . + #undef TRACE_INCLUDE_FILE +-#define TRACE_INCLUDE_FILE null_blk_trace ++#define TRACE_INCLUDE_FILE trace + + /* This part must be outside protection */ + #include +diff --git a/drivers/block/null_blk_zoned.c b/drivers/block/null_blk/zoned.c +similarity index 99% +rename from drivers/block/null_blk_zoned.c +rename to drivers/block/null_blk/zoned.c +index f5df82c26c16f..41220ce59659b 100644 +--- a/drivers/block/null_blk_zoned.c ++++ b/drivers/block/null_blk/zoned.c +@@ -4,7 +4,7 @@ + #include "null_blk.h" + + #define CREATE_TRACE_POINTS +-#include "null_blk_trace.h" ++#include "trace.h" + + #define MB_TO_SECTS(mb) (((sector_t)mb * SZ_1M) >> SECTOR_SHIFT) + +-- +2.39.2 + diff --git a/queue-5.10/nvme-fix-handling-single-range-discard-request.patch b/queue-5.10/nvme-fix-handling-single-range-discard-request.patch new file mode 100644 index 00000000000..1c9720774a6 --- /dev/null +++ b/queue-5.10/nvme-fix-handling-single-range-discard-request.patch @@ -0,0 +1,70 @@ +From 6d125a7d6fa49460f6b9968e7f2f89ec0e1bda4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Mar 2023 07:13:45 +0800 +Subject: nvme: fix handling single range discard request + +From: Ming Lei + +[ Upstream commit 37f0dc2ec78af0c3f35dd05578763de059f6fe77 ] + +When investigating one customer report on warning in nvme_setup_discard, +we observed the controller(nvme/tcp) actually exposes +queue_max_discard_segments(req->q) == 1. + +Obviously the current code can't handle this situation, since contiguity +merge like normal RW request is taken. + +Fix the issue by building range from request sector/nr_sectors directly. + +Fixes: b35ba01ea697 ("nvme: support ranged discard requests") +Signed-off-by: Ming Lei +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index e162f1dfbafe9..a4b6aa932a8fe 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -723,16 +723,26 @@ static blk_status_t nvme_setup_discard(struct nvme_ns *ns, struct request *req, + range = page_address(ns->ctrl->discard_page); + } + +- __rq_for_each_bio(bio, req) { +- u64 slba = nvme_sect_to_lba(ns, bio->bi_iter.bi_sector); +- u32 nlb = bio->bi_iter.bi_size >> ns->lba_shift; +- +- if (n < segments) { +- range[n].cattr = cpu_to_le32(0); +- range[n].nlb = cpu_to_le32(nlb); +- range[n].slba = cpu_to_le64(slba); ++ if (queue_max_discard_segments(req->q) == 1) { ++ u64 slba = nvme_sect_to_lba(ns, blk_rq_pos(req)); ++ u32 nlb = blk_rq_sectors(req) >> (ns->lba_shift - 9); ++ ++ range[0].cattr = cpu_to_le32(0); ++ range[0].nlb = cpu_to_le32(nlb); ++ range[0].slba = cpu_to_le64(slba); ++ n = 1; ++ } else { ++ __rq_for_each_bio(bio, req) { ++ u64 slba = nvme_sect_to_lba(ns, bio->bi_iter.bi_sector); ++ u32 nlb = bio->bi_iter.bi_size >> ns->lba_shift; ++ ++ if (n < segments) { ++ range[n].cattr = cpu_to_le32(0); ++ range[n].nlb = cpu_to_le32(nlb); ++ range[n].slba = cpu_to_le64(slba); ++ } ++ n++; + } +- n++; + } + + if (WARN_ON_ONCE(n != segments)) { +-- +2.39.2 + diff --git a/queue-5.10/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch b/queue-5.10/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch new file mode 100644 index 00000000000..3ab42cbf23f --- /dev/null +++ b/queue-5.10/nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch @@ -0,0 +1,46 @@ +From 0c8545a0fd5b1870fc0f740cdb398a8507df442c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 10:13:13 +0900 +Subject: nvmet: avoid potential UAF in nvmet_req_complete() + +From: Damien Le Moal + +[ Upstream commit 6173a77b7e9d3e202bdb9897b23f2a8afe7bf286 ] + +An nvme target ->queue_response() operation implementation may free the +request passed as argument. Such implementation potentially could result +in a use after free of the request pointer when percpu_ref_put() is +called in nvmet_req_complete(). + +Avoid such problem by using a local variable to save the sq pointer +before calling __nvmet_req_complete(), thus avoiding dereferencing the +req pointer after that function call. + +Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") +Signed-off-by: Damien Le Moal +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index bc88ff2912f56..a82a0796a6148 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -749,8 +749,10 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status) + + void nvmet_req_complete(struct nvmet_req *req, u16 status) + { ++ struct nvmet_sq *sq = req->sq; ++ + __nvmet_req_complete(req, status); +- percpu_ref_put(&req->sq->ref); ++ percpu_ref_put(&sq->ref); + } + EXPORT_SYMBOL_GPL(nvmet_req_complete); + +-- +2.39.2 + diff --git a/queue-5.10/qed-qed_dev-guard-against-a-possible-division-by-zer.patch b/queue-5.10/qed-qed_dev-guard-against-a-possible-division-by-zer.patch new file mode 100644 index 00000000000..d6ebdd06414 --- /dev/null +++ b/queue-5.10/qed-qed_dev-guard-against-a-possible-division-by-zer.patch @@ -0,0 +1,46 @@ +From b661de147d3ab3ed9768bd68bab0ef5fba407d5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 23:15:56 +0300 +Subject: qed/qed_dev: guard against a possible division by zero + +From: Daniil Tatianin + +[ Upstream commit 1a9dc5610ef89d807acdcfbff93a558f341a44da ] + +Previously we would divide total_left_rate by zero if num_vports +happened to be 1 because non_requested_count is calculated as +num_vports - req_count. Guard against this by validating num_vports at +the beginning and returning an error otherwise. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Fixes: bcd197c81f63 ("qed: Add vport WFQ configuration APIs") +Signed-off-by: Daniil Tatianin +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230309201556.191392-1-d-tatianin@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index d2f5855b2ea79..895b6f0a39841 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -4986,6 +4986,11 @@ static int qed_init_wfq_param(struct qed_hwfn *p_hwfn, + + num_vports = p_hwfn->qm_info.num_vports; + ++ if (num_vports < 2) { ++ DP_NOTICE(p_hwfn, "Unexpected num_vports: %d\n", num_vports); ++ return -EINVAL; ++ } ++ + /* Accounting for the vports which are configured for WFQ explicitly */ + for (i = 0; i < num_vports; i++) { + u32 tmp_speed; +-- +2.39.2 + diff --git a/queue-5.10/qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch b/queue-5.10/qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch new file mode 100644 index 00000000000..739c8eef01c --- /dev/null +++ b/queue-5.10/qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch @@ -0,0 +1,40 @@ +From 07e292d27d1647039c337e262dc969e65f52c4f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 22:46:18 +0300 +Subject: qed/qed_mng_tlv: correctly zero out ->min instead of ->hour + +From: Daniil Tatianin + +[ Upstream commit 470efd68a4653d9819d391489886432cd31bcd0b ] + +This fixes an issue where ->hour would erroneously get zeroed out +instead of ->min because of a bad copy paste. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Fixes: f240b6882211 ("qed: Add support for processing fcoe tlv request.") +Signed-off-by: Daniil Tatianin +Link: https://lore.kernel.org/r/20230315194618.579286-1-d-tatianin@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c b/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c +index 3e3192a3ad9b7..fdbd5f07a1857 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c +@@ -422,7 +422,7 @@ qed_mfw_get_tlv_time_value(struct qed_mfw_tlv_time *p_time, + if (p_time->hour > 23) + p_time->hour = 0; + if (p_time->min > 59) +- p_time->hour = 0; ++ p_time->min = 0; + if (p_time->msec > 999) + p_time->msec = 0; + if (p_time->usec > 999) +-- +2.39.2 + diff --git a/queue-5.10/scsi-core-fix-a-comment-in-function-scsi_host_dev_re.patch b/queue-5.10/scsi-core-fix-a-comment-in-function-scsi_host_dev_re.patch new file mode 100644 index 00000000000..97a22d691a3 --- /dev/null +++ b/queue-5.10/scsi-core-fix-a-comment-in-function-scsi_host_dev_re.patch @@ -0,0 +1,38 @@ +From 56a1e7ae5b90e01cd7702d19dcbb26d178a79616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 19:35:26 +0800 +Subject: scsi: core: Fix a comment in function scsi_host_dev_release() + +From: Xiang Chen + +[ Upstream commit 2dde5c8d912efea43be94d6a83ac9cb74879fa12 ] + +Commit 3be8828fc507 ("scsi: core: Avoid that ATA error handling can +trigger a kernel hang or oops") moved rcu to scsi_cmnd instead of +shost. Modify "shost->rcu" to "scmd->rcu" in a comment. + +Link: https://lore.kernel.org/r/1620646526-193154-1-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Xiang Chen +Signed-off-by: Martin K. Petersen +Stable-dep-of: be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression") +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index fae0323242103..0fd2487203ff5 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -325,7 +325,7 @@ static void scsi_host_dev_release(struct device *dev) + /* In case scsi_remove_host() has not been called. */ + scsi_proc_hostdir_rm(shost->hostt); + +- /* Wait for functions invoked through call_rcu(&shost->rcu, ...) */ ++ /* Wait for functions invoked through call_rcu(&scmd->rcu, ...) */ + rcu_barrier(); + + if (shost->tmf_work_q) +-- +2.39.2 + diff --git a/queue-5.10/scsi-core-fix-a-procfs-host-directory-removal-regres.patch b/queue-5.10/scsi-core-fix-a-procfs-host-directory-removal-regres.patch new file mode 100644 index 00000000000..2dcad276e0e --- /dev/null +++ b/queue-5.10/scsi-core-fix-a-procfs-host-directory-removal-regres.patch @@ -0,0 +1,47 @@ +From a3319a1a29bbd3a9cd525fd1aba254c44e939efa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 13:44:28 -0800 +Subject: scsi: core: Fix a procfs host directory removal regression + +From: Bart Van Assche + +[ Upstream commit be03df3d4bfe7e8866d4aa43d62e648ffe884f5f ] + +scsi_proc_hostdir_rm() decreases a reference counter and hence must only be +called once per host that is removed. This change does not require a +scsi_add_host_with_dma() change since scsi_add_host_with_dma() will return +0 (success) if scsi_proc_host_add() is called. + +Fixes: fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier") +Cc: John Garry +Reported-by: John Garry +Link: https://lore.kernel.org/all/ed6b8027-a9d9-1b45-be8e-df4e8c6c4605@oracle.com/ +Reported-by: syzbot+645a4616b87a2f10e398@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-scsi/000000000000890fab05f65342b6@google.com/ +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20230307214428.3703498-1-bvanassche@acm.org +Tested-by: John Garry +Tested-by: Shin'ichiro Kawasaki +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index 0fd2487203ff5..18321cf9db5d6 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -322,9 +322,6 @@ static void scsi_host_dev_release(struct device *dev) + struct Scsi_Host *shost = dev_to_shost(dev); + struct device *parent = dev->parent; + +- /* In case scsi_remove_host() has not been called. */ +- scsi_proc_hostdir_rm(shost->hostt); +- + /* Wait for functions invoked through call_rcu(&scmd->rcu, ...) */ + rcu_barrier(); + +-- +2.39.2 + diff --git a/queue-5.10/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch b/queue-5.10/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch new file mode 100644 index 00000000000..63b92e55cdd --- /dev/null +++ b/queue-5.10/scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch @@ -0,0 +1,77 @@ +From 0a16522f680a1e81bd2b7356035314cf99aae7a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 18:01:36 +0800 +Subject: scsi: mpt3sas: Fix NULL pointer access in + mpt3sas_transport_port_add() + +From: Wenchao Hao + +[ Upstream commit d3c57724f1569311e4b81e98fad0931028b9bdcd ] + +Port is allocated by sas_port_alloc_num() and rphy is allocated by either +sas_end_device_alloc() or sas_expander_alloc(), all of which may return +NULL. So we need to check the rphy to avoid possible NULL pointer access. + +If sas_rphy_add() returned with failure, rphy is set to NULL. We would +access the rphy in the following lines which would also result NULL pointer +access. + +Fixes: 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()") +Signed-off-by: Wenchao Hao +Link: https://lore.kernel.org/r/20230225100135.2109330-1-haowenchao2@huawei.com +Acked-by: Sathya Prakash Veerichetty +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c +index b58f4d9c296a3..326265fd7f91a 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c +@@ -670,7 +670,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + goto out_fail; + } + port = sas_port_alloc_num(sas_node->parent_dev); +- if ((sas_port_add(port))) { ++ if (!port || (sas_port_add(port))) { + ioc_err(ioc, "failure at %s:%d/%s()!\n", + __FILE__, __LINE__, __func__); + goto out_fail; +@@ -695,6 +695,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + rphy = sas_expander_alloc(port, + mpt3sas_port->remote_identify.device_type); + ++ if (!rphy) { ++ ioc_err(ioc, "failure at %s:%d/%s()!\n", ++ __FILE__, __LINE__, __func__); ++ goto out_delete_port; ++ } ++ + rphy->identify = mpt3sas_port->remote_identify; + + if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { +@@ -714,6 +720,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + __FILE__, __LINE__, __func__); + sas_rphy_free(rphy); + rphy = NULL; ++ goto out_delete_port; + } + + if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { +@@ -740,7 +747,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + rphy_to_expander_device(rphy)); + return mpt3sas_port; + +- out_fail: ++out_delete_port: ++ sas_port_delete(port); ++ ++out_fail: + list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list, + port_siblings) + list_del(&mpt3sas_phy->port_siblings); +-- +2.39.2 + diff --git a/queue-5.10/selftests-net-devlink_port_split.py-skip-test-if-no-.patch b/queue-5.10/selftests-net-devlink_port_split.py-skip-test-if-no-.patch new file mode 100644 index 00000000000..2d21bc4b999 --- /dev/null +++ b/queue-5.10/selftests-net-devlink_port_split.py-skip-test-if-no-.patch @@ -0,0 +1,113 @@ +From 8e2be7a95488a07d257ff4c726d3f4149c268c0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 00:53:53 +0800 +Subject: selftests: net: devlink_port_split.py: skip test if no suitable + device available + +From: Po-Hsu Lin + +[ Upstream commit 24994513ad13ff2c47ba91d2b5df82c3d496c370 ] + +The `devlink -j port show` command output may not contain the "flavour" +key, an example from Ubuntu 22.10 s390x LPAR(5.19.0-37-generic), with +mlx4 driver and iproute2-5.15.0: + {"port":{"pci/0001:00:00.0/1":{"type":"eth","netdev":"ens301"}, + "pci/0001:00:00.0/2":{"type":"eth","netdev":"ens301d1"}, + "pci/0002:00:00.0/1":{"type":"eth","netdev":"ens317"}, + "pci/0002:00:00.0/2":{"type":"eth","netdev":"ens317d1"}}} + +This will cause a KeyError exception. + +Create a validate_devlink_output() to check for this "flavour" from +devlink command output to avoid this KeyError exception. Also let +it handle the check for `devlink -j dev show` output in main(). + +Apart from this, if the test was not started because the max lanes of +the designated device is 0. The script will still return 0 and thus +causing a false-negative test result. + +Use a found_max_lanes flag to determine if these tests were skipped +due to this reason and return KSFT_SKIP to make it more clear. + +Link: https://bugs.launchpad.net/bugs/1937133 +Fixes: f3348a82e727 ("selftests: net: Add port split test") +Signed-off-by: Po-Hsu Lin +Link: https://lore.kernel.org/r/20230315165353.229590-1-po-hsu.lin@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../selftests/net/devlink_port_split.py | 30 +++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/tools/testing/selftests/net/devlink_port_split.py b/tools/testing/selftests/net/devlink_port_split.py +index 834066d465fc1..f0fbd7367f4f6 100755 +--- a/tools/testing/selftests/net/devlink_port_split.py ++++ b/tools/testing/selftests/net/devlink_port_split.py +@@ -57,6 +57,8 @@ class devlink_ports(object): + assert stderr == "" + ports = json.loads(stdout)['port'] + ++ validate_devlink_output(ports, 'flavour') ++ + for port in ports: + if dev in port: + if ports[port]['flavour'] == 'physical': +@@ -218,6 +220,27 @@ def split_splittable_port(port, k, lanes, dev): + unsplit(port.bus_info) + + ++def validate_devlink_output(devlink_data, target_property=None): ++ """ ++ Determine if test should be skipped by checking: ++ 1. devlink_data contains values ++ 2. The target_property exist in devlink_data ++ """ ++ skip_reason = None ++ if any(devlink_data.values()): ++ if target_property: ++ skip_reason = "{} not found in devlink output, test skipped".format(target_property) ++ for key in devlink_data: ++ if target_property in devlink_data[key]: ++ skip_reason = None ++ else: ++ skip_reason = 'devlink output is empty, test skipped' ++ ++ if skip_reason: ++ print(skip_reason) ++ sys.exit(KSFT_SKIP) ++ ++ + def make_parser(): + parser = argparse.ArgumentParser(description='A test for port splitting.') + parser.add_argument('--dev', +@@ -238,6 +261,7 @@ def main(cmdline=None): + stdout, stderr = run_command(cmd) + assert stderr == "" + ++ validate_devlink_output(json.loads(stdout)) + devs = json.loads(stdout)['dev'] + dev = list(devs.keys())[0] + +@@ -249,6 +273,7 @@ def main(cmdline=None): + + ports = devlink_ports(dev) + ++ found_max_lanes = False + for port in ports.if_names: + max_lanes = get_max_lanes(port.name) + +@@ -271,6 +296,11 @@ def main(cmdline=None): + split_splittable_port(port, lane, max_lanes, dev) + + lane //= 2 ++ found_max_lanes = True ++ ++ if not found_max_lanes: ++ print(f"Test not started, no port of device {dev} reports max_lanes") ++ sys.exit(KSFT_SKIP) + + + if __name__ == "__main__": +-- +2.39.2 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..784f8a11b93 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,39 @@ +xfrm-allow-transport-mode-states-with-af_unspec-sele.patch +drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch +cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch +drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch +clk-hi655x-select-regmap-instead-of-depending-on-it.patch +docs-correct-missing-d_-prefix-for-dentry_operations.patch +scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch +alsa-hda-match-only-intel-devices-with-controller_in.patch +netfilter-nft_nat-correct-length-for-loading-protoco.patch +netfilter-nft_masq-correct-length-for-loading-protoc.patch +netfilter-nft_redir-correct-length-for-loading-proto.patch +netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch +scsi-core-fix-a-comment-in-function-scsi_host_dev_re.patch +scsi-core-fix-a-procfs-host-directory-removal-regres.patch +tcp-tcp_make_synack-can-be-called-from-process-conte.patch +nfc-pn533-initialize-struct-pn533_out_arg-properly.patch +ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch +i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch +net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch +qed-qed_dev-guard-against-a-possible-division-by-zer.patch +net-tunnels-annotate-lockless-accesses-to-dev-needed.patch +net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch +nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch +net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch +net-usb-smsc75xx-limit-packet-length-to-skb-len.patch +drm-bridge-fix-returned-array-size-name-for-atomic_g.patch +null_blk-move-driver-into-its-own-directory.patch +block-null_blk-fix-handling-of-fake-timeout-request.patch +nvme-fix-handling-single-range-discard-request.patch +nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch +block-sunvdc-add-check-for-mdesc_grab-returning-null.patch +ice-xsk-disable-txq-irq-before-flushing-hw.patch +net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch +ipv4-fix-incorrect-table-id-in-ioctl-path.patch +net-usb-smsc75xx-move-packet-length-check-to-prevent.patch +net-iucv-fix-size-of-interrupt-data.patch +selftests-net-devlink_port_split.py-skip-test-if-no-.patch +qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch +ethernet-sun-add-check-for-the-mdesc_grab.patch diff --git a/queue-5.10/tcp-tcp_make_synack-can-be-called-from-process-conte.patch b/queue-5.10/tcp-tcp_make_synack-can-be-called-from-process-conte.patch new file mode 100644 index 00000000000..291d6339eac --- /dev/null +++ b/queue-5.10/tcp-tcp_make_synack-can-be-called-from-process-conte.patch @@ -0,0 +1,64 @@ +From 083984b4651ce251d343d36fb8e31beb923c684a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 11:07:45 -0800 +Subject: tcp: tcp_make_synack() can be called from process context + +From: Breno Leitao + +[ Upstream commit bced3f7db95ff2e6ca29dc4d1c9751ab5e736a09 ] + +tcp_rtx_synack() now could be called in process context as explained in +0a375c822497 ("tcp: tcp_rtx_synack() can be called from process +context"). + +tcp_rtx_synack() might call tcp_make_synack(), which will touch per-CPU +variables with preemption enabled. This causes the following BUG: + + BUG: using __this_cpu_add() in preemptible [00000000] code: ThriftIO1/5464 + caller is tcp_make_synack+0x841/0xac0 + Call Trace: + + dump_stack_lvl+0x10d/0x1a0 + check_preemption_disabled+0x104/0x110 + tcp_make_synack+0x841/0xac0 + tcp_v6_send_synack+0x5c/0x450 + tcp_rtx_synack+0xeb/0x1f0 + inet_rtx_syn_ack+0x34/0x60 + tcp_check_req+0x3af/0x9e0 + tcp_rcv_state_process+0x59b/0x2030 + tcp_v6_do_rcv+0x5f5/0x700 + release_sock+0x3a/0xf0 + tcp_sendmsg+0x33/0x40 + ____sys_sendmsg+0x2f2/0x490 + __sys_sendmsg+0x184/0x230 + do_syscall_64+0x3d/0x90 + +Avoid calling __TCP_INC_STATS() with will touch per-cpu variables. Use +TCP_INC_STATS() which is safe to be called from context switch. + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Signed-off-by: Breno Leitao +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230308190745.780221-1-leitao@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index eefd032bc6dbd..e4ad274ec7a30 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3609,7 +3609,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, + th->window = htons(min(req->rsk_rcv_wnd, 65535U)); + tcp_options_write((__be32 *)(th + 1), NULL, &opts); + th->doff = (tcp_header_size >> 2); +- __TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); ++ TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); + + #ifdef CONFIG_TCP_MD5SIG + /* Okay, we have all we need - do the md5 hash if needed */ +-- +2.39.2 + diff --git a/queue-5.10/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch b/queue-5.10/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch new file mode 100644 index 00000000000..3fc468943a3 --- /dev/null +++ b/queue-5.10/xfrm-allow-transport-mode-states-with-af_unspec-sele.patch @@ -0,0 +1,44 @@ +From 8aff5b01ad3087d71db479db47757e6de325b7ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Feb 2023 13:54:00 +0800 +Subject: xfrm: Allow transport-mode states with AF_UNSPEC selector + +From: Herbert Xu + +[ Upstream commit c276a706ea1f51cf9723ed8484feceaf961b8f89 ] + +xfrm state selectors are matched against the inner-most flow +which can be of any address family. Therefore middle states +in nested configurations need to carry a wildcard selector in +order to work at all. + +However, this is currently forbidden for transport-mode states. + +Fix this by removing the unnecessary check. + +Fixes: 13996378e658 ("[IPSEC]: Rename mode to outer_mode and add inner_mode") +Reported-by: David George +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index fdbd56ed4bd52..ba73014805a4f 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -2611,9 +2611,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload) + if (inner_mode == NULL) + goto error; + +- if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) +- goto error; +- + x->inner_mode = *inner_mode; + + if (x->props.family == AF_INET) +-- +2.39.2 +