From: Sasha Levin Date: Sun, 12 Jun 2022 13:42:03 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.9.318~98 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8a21eaa6f870eedcb5868bade5c340ac108cb16b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch b/queue-5.10/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch new file mode 100644 index 00000000000..47e18db3c1e --- /dev/null +++ b/queue-5.10/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch @@ -0,0 +1,39 @@ +From 39173946ae2ffb7af0d62e975274cc8a18f64bf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 16:23:25 -0700 +Subject: af_unix: Fix a data-race in unix_dgram_peer_wake_me(). + +From: Kuniyuki Iwashima + +[ Upstream commit 662a80946ce13633ae90a55379f1346c10f0c432 ] + +unix_dgram_poll() calls unix_dgram_peer_wake_me() without `other`'s +lock held and check if its receive queue is full. Here we need to +use unix_recvq_full_lockless() instead of unix_recvq_full(), otherwise +KCSAN will report a data-race. + +Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20220605232325.11804-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index b7edca89e0ba..28721e9575b7 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -438,7 +438,7 @@ static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other) + * -ECONNREFUSED. Otherwise, if we haven't queued any skbs + * to other and its full, we will hang waiting for POLLOUT. + */ +- if (unix_recvq_full(other) && !sock_flag(other, SOCK_DEAD)) ++ if (unix_recvq_full_lockless(other) && !sock_flag(other, SOCK_DEAD)) + return 1; + + if (connected) +-- +2.35.1 + diff --git a/queue-5.10/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch b/queue-5.10/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch new file mode 100644 index 00000000000..5d0d549c9e1 --- /dev/null +++ b/queue-5.10/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch @@ -0,0 +1,52 @@ +From 9d6158cb5d06477b0a37fbe5d36dccd8097232cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 12:59:26 +0400 +Subject: ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe + +From: Miaoqian Lin + +[ Upstream commit 10d6bdf532902be1d8aa5900b3c03c5671612aa2 ] + +of_find_device_by_node() takes reference, we should use put_device() +to release it when not need anymore. +Add missing put_device() to avoid refcount leak. + +Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.") +Signed-off-by: Miaoqian Lin +Reviewed-by: Sergey Shtylyov +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_octeon_cf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/pata_octeon_cf.c b/drivers/ata/pata_octeon_cf.c +index b5a3f710d76d..4cc8a1027888 100644 +--- a/drivers/ata/pata_octeon_cf.c ++++ b/drivers/ata/pata_octeon_cf.c +@@ -888,12 +888,14 @@ static int octeon_cf_probe(struct platform_device *pdev) + int i; + res_dma = platform_get_resource(dma_dev, IORESOURCE_MEM, 0); + if (!res_dma) { ++ put_device(&dma_dev->dev); + of_node_put(dma_node); + return -EINVAL; + } + cf_port->dma_base = (u64)devm_ioremap(&pdev->dev, res_dma->start, + resource_size(res_dma)); + if (!cf_port->dma_base) { ++ put_device(&dma_dev->dev); + of_node_put(dma_node); + return -EINVAL; + } +@@ -903,6 +905,7 @@ static int octeon_cf_probe(struct platform_device *pdev) + irq = i; + irq_handler = octeon_cf_interrupt; + } ++ put_device(&dma_dev->dev); + } + of_node_put(dma_node); + } +-- +2.35.1 + diff --git a/queue-5.10/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch b/queue-5.10/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch new file mode 100644 index 00000000000..efb752a3b50 --- /dev/null +++ b/queue-5.10/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch @@ -0,0 +1,100 @@ +From 78bb742bb76ba0a6587c7c0d7ad09a50f272996d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 14:51:13 -0700 +Subject: bpf, arm64: Clear prog->jited_len along prog->jited + +From: Eric Dumazet + +[ Upstream commit 10f3b29c65bb2fe0d47c2945cd0b4087be1c5218 ] + +syzbot reported an illegal copy_to_user() attempt +from bpf_prog_get_info_by_fd() [1] + +There was no repro yet on this bug, but I think +that commit 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns") +is exposing a prior bug in bpf arm64. + +bpf_prog_get_info_by_fd() looks at prog->jited_len +to determine if the JIT image can be copied out to user space. + +My theory is that syzbot managed to get a prog where prog->jited_len +has been set to 43, while prog->bpf_func has ben cleared. + +It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering +this particular warning. + +I thought find_vma_area(NULL) would not find a vm_struct. +As we do not hold vmap_area_lock spinlock, it might be possible +that the found vm_struct was garbage. + +[1] +usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)! +kernel BUG at mm/usercopy.c:101! +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0 +Hardware name: linux,dummy-virt (DT) +pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101 +lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89 +sp : ffff80000b773a20 +x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48 +x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000 +x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001 +x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd +x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420 +x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031 +x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865 +x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830 +x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000 +x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064 +Call trace: + usercopy_abort+0x90/0x94 mm/usercopy.c:89 + check_heap_object mm/usercopy.c:186 [inline] + __check_object_size mm/usercopy.c:252 [inline] + __check_object_size+0x198/0x36c mm/usercopy.c:214 + check_object_size include/linux/thread_info.h:199 [inline] + check_copy_size include/linux/thread_info.h:235 [inline] + copy_to_user include/linux/uaccess.h:159 [inline] + bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993 + bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253 + __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956 + __do_sys_bpf kernel/bpf/syscall.c:5021 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5019 [inline] + __arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019 + __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] + invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52 + el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142 + do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206 + el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624 + el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642 + el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581 +Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000) + +Fixes: db496944fdaa ("bpf: arm64: add JIT support for multi-function programs") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20220531215113.1100754-1-eric.dumazet@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/arm64/net/bpf_jit_comp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index 9c6cab71ba98..18627cbd6da4 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -1111,6 +1111,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + bpf_jit_binary_free(header); + prog->bpf_func = NULL; + prog->jited = 0; ++ prog->jited_len = 0; + goto out_off; + } + bpf_jit_binary_lock_ro(header); +-- +2.35.1 + diff --git a/queue-5.10/drm-imx-fix-compiler-warning-with-gcc-12.patch b/queue-5.10/drm-imx-fix-compiler-warning-with-gcc-12.patch new file mode 100644 index 00000000000..0b0c421e666 --- /dev/null +++ b/queue-5.10/drm-imx-fix-compiler-warning-with-gcc-12.patch @@ -0,0 +1,51 @@ +From 59bbda60f971851d30480b6f2316d128c4c48c59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 16:59:29 -0700 +Subject: drm: imx: fix compiler warning with gcc-12 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit 7aefd8b53815274f3ef398d370a3c9b27dd9f00c ] + +Gcc-12 correctly warned about this code using a non-NULL pointer as a +truth value: + + drivers/gpu/drm/imx/ipuv3-crtc.c: In function ‘ipu_crtc_disable_planes’: + drivers/gpu/drm/imx/ipuv3-crtc.c:72:21: error: the comparison will always evaluate as ‘true’ for the address of ‘plane’ will never be NULL [-Werror=address] + 72 | if (&ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) + | ^ + +due to the extraneous '&' address-of operator. + +Philipp Zabel points out that The mistake had no adverse effect since +the following condition doesn't actually dereference the NULL pointer, +but the intent of the code was obviously to check for it, not to take +the address of the member. + +Fixes: eb8c88808c83 ("drm/imx: add deferred plane disabling") +Acked-by: Philipp Zabel +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c +index d412fc265395..fd9d8e51837f 100644 +--- a/drivers/gpu/drm/imx/ipuv3-crtc.c ++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c +@@ -68,7 +68,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc, + drm_atomic_crtc_state_for_each_plane(plane, old_crtc_state) { + if (plane == &ipu_crtc->plane[0]->base) + disable_full = true; +- if (&ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) ++ if (ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) + disable_partial = true; + } + +-- +2.35.1 + diff --git a/queue-5.10/ip_gre-test-csum_start-instead-of-transport-header.patch b/queue-5.10/ip_gre-test-csum_start-instead-of-transport-header.patch new file mode 100644 index 00000000000..201ac8b2e65 --- /dev/null +++ b/queue-5.10/ip_gre-test-csum_start-instead-of-transport-header.patch @@ -0,0 +1,87 @@ +From 546905be35e55a11cc79ff64927d66f8e16e22df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 09:21:07 -0400 +Subject: ip_gre: test csum_start instead of transport header + +From: Willem de Bruijn + +[ Upstream commit 8d21e9963bec1aad2280cdd034c8993033ef2948 ] + +GRE with TUNNEL_CSUM will apply local checksum offload on +CHECKSUM_PARTIAL packets. + +ipgre_xmit must validate csum_start after an optional skb_pull, +else lco_csum may trigger an overflow. The original check was + + if (csum && skb_checksum_start(skb) < skb->data) + return -EINVAL; + +This had false positives when skb_checksum_start is undefined: +when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement +was straightforward + + if (csum && skb->ip_summed == CHECKSUM_PARTIAL && + skb_checksum_start(skb) < skb->data) + return -EINVAL; + +But was eventually revised more thoroughly: +- restrict the check to the only branch where needed, in an + uncommon GRE path that uses header_ops and calls skb_pull. +- test skb_transport_header, which is set along with csum_start + in skb_partial_csum_set in the normal header_ops datapath. + +Turns out skbs can arrive in this branch without the transport +header set, e.g., through BPF redirection. + +Revise the check back to check csum_start directly, and only if +CHECKSUM_PARTIAL. Do leave the check in the updated location. +Check field regardless of whether TUNNEL_CSUM is configured. + +Link: https://lore.kernel.org/netdev/YS+h%2FtqCJJiQei+W@shredder/ +Link: https://lore.kernel.org/all/20210902193447.94039-2-willemdebruijn.kernel@gmail.com/T/#u +Fixes: 8a0ed250f911 ("ip_gre: validate csum_start only on pull") +Reported-by: syzbot +Signed-off-by: Willem de Bruijn +Reviewed-by: Eric Dumazet +Reviewed-by: Alexander Duyck +Link: https://lore.kernel.org/r/20220606132107.3582565-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 2a80038575d2..a7e32be8714f 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -624,21 +624,20 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + } + + if (dev->header_ops) { +- const int pull_len = tunnel->hlen + sizeof(struct iphdr); +- + if (skb_cow_head(skb, 0)) + goto free_skb; + + tnl_params = (const struct iphdr *)skb->data; + +- if (pull_len > skb_transport_offset(skb)) +- goto free_skb; +- + /* Pull skb since ip_tunnel_xmit() needs skb->data pointing + * to gre header. + */ +- skb_pull(skb, pull_len); ++ skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); + skb_reset_mac_header(skb); ++ ++ if (skb->ip_summed == CHECKSUM_PARTIAL && ++ skb_checksum_start(skb) < skb->data) ++ goto free_skb; + } else { + if (skb_cow_head(skb, dev->needed_headroom)) + goto free_skb; +-- +2.35.1 + diff --git a/queue-5.10/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch b/queue-5.10/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch new file mode 100644 index 00000000000..39ceca37371 --- /dev/null +++ b/queue-5.10/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch @@ -0,0 +1,59 @@ +From 9fc4aa9319c6e96b353d9492eb9aef009137f88a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 08:11:43 +0400 +Subject: net: altera: Fix refcount leak in altera_tse_mdio_create + +From: Miaoqian Lin + +[ Upstream commit 11ec18b1d8d92b9df307d31950dcba0b3dd7283c ] + +Every iteration of for_each_child_of_node() decrements +the reference count of the previous node. +When break from a for_each_child_of_node() loop, +we need to explicitly call of_node_put() on the child node when +not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220607041144.7553-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/altera/altera_tse_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c +index a7d8d45e0e94..b779f3adbc56 100644 +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -163,7 +163,8 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + mdio = mdiobus_alloc(); + if (mdio == NULL) { + netdev_err(dev, "Error allocating MDIO bus\n"); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto put_node; + } + + mdio->name = ALTERA_TSE_RESOURCE_NAME; +@@ -180,6 +181,7 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + mdio->id); + goto out_free_mdio; + } ++ of_node_put(mdio_node); + + if (netif_msg_drv(priv)) + netdev_info(dev, "MDIO bus %s: created\n", mdio->id); +@@ -189,6 +191,8 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + out_free_mdio: + mdiobus_free(mdio); + mdio = NULL; ++put_node: ++ of_node_put(mdio_node); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.10/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch b/queue-5.10/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch new file mode 100644 index 00000000000..da62ac19e05 --- /dev/null +++ b/queue-5.10/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch @@ -0,0 +1,43 @@ +From 39dc8bf5796a149098e962875c993a7be634a465 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 11:23:34 +0400 +Subject: net: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list + +From: Miaoqian Lin + +[ Upstream commit 0737e018a05e2aa352828c52bdeed3b02cff2930 ] + +Every iteration of for_each_available_child_of_node() decrements +the reference count of the previous node. +when breaking early from a for_each_available_child_of_node() loop, +we need to explicitly call of_node_put() on the gphy_fw_np. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 14fceff4771e ("net: dsa: Add Lantiq / Intel DSA driver for vrx200") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220605072335.11257-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lantiq_gswip.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/lantiq_gswip.c b/drivers/net/dsa/lantiq_gswip.c +index 4abae06499a9..70895e480683 100644 +--- a/drivers/net/dsa/lantiq_gswip.c ++++ b/drivers/net/dsa/lantiq_gswip.c +@@ -1981,8 +1981,10 @@ static int gswip_gphy_fw_list(struct gswip_priv *priv, + for_each_available_child_of_node(gphy_fw_list_np, gphy_fw_np) { + err = gswip_gphy_fw_probe(priv, &priv->gphy_fw[i], + gphy_fw_np, i); +- if (err) ++ if (err) { ++ of_node_put(gphy_fw_np); + goto remove_gphy; ++ } + i++; + } + +-- +2.35.1 + diff --git a/queue-5.10/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch b/queue-5.10/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch new file mode 100644 index 00000000000..0e0525fa538 --- /dev/null +++ b/queue-5.10/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch @@ -0,0 +1,52 @@ +From 5493d7740f584aaa3ede936e3e8d42964691cb36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:55 +0900 +Subject: net: ipv6: unexport __init-annotated seg6_hmac_init() + +From: Masahiro Yamada + +[ Upstream commit 5801f064e35181c71857a80ff18af4dbec3c5f5c ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the caller (net/ipv6/seg6.c) +and the callee (net/ipv6/seg6_hmac.c) belong to the same module. +It seems an internal function call in ipv6.ko. + +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_hmac.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c +index 85dddfe3a2c6..b9179708e3c1 100644 +--- a/net/ipv6/seg6_hmac.c ++++ b/net/ipv6/seg6_hmac.c +@@ -400,7 +400,6 @@ int __init seg6_hmac_init(void) + { + return seg6_hmac_init_algo(); + } +-EXPORT_SYMBOL(seg6_hmac_init); + + int __net_init seg6_hmac_net_init(struct net *net) + { +-- +2.35.1 + diff --git a/queue-5.10/net-mdio-unexport-__init-annotated-mdio_bus_init.patch b/queue-5.10/net-mdio-unexport-__init-annotated-mdio_bus_init.patch new file mode 100644 index 00000000000..908dc873a20 --- /dev/null +++ b/queue-5.10/net-mdio-unexport-__init-annotated-mdio_bus_init.patch @@ -0,0 +1,54 @@ +From 8cb563268f370cf7e242e34d029ad1436bdfb289 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:53 +0900 +Subject: net: mdio: unexport __init-annotated mdio_bus_init() + +From: Masahiro Yamada + +[ Upstream commit 35b42dce619701f1300fb8498dae82c9bb1f0263 ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the only in-tree call-site, +drivers/net/phy/phy_device.c is never compiled as modular. +(CONFIG_PHYLIB is boolean) + +Fixes: 90eff9096c01 ("net: phy: Allow splitting MDIO bus/device support from PHYs") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Reviewed-by: Florian Fainelli +Reviewed-by: Russell King (Oracle) +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio_bus.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index c416ab1d2b00..c1cbdac4b376 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -1008,7 +1008,6 @@ int __init mdio_bus_init(void) + + return ret; + } +-EXPORT_SYMBOL_GPL(mdio_bus_init); + + #if IS_ENABLED(CONFIG_PHYLIB) + void mdio_bus_exit(void) +-- +2.35.1 + diff --git a/queue-5.10/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch b/queue-5.10/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch new file mode 100644 index 00000000000..5dc22a4b540 --- /dev/null +++ b/queue-5.10/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch @@ -0,0 +1,38 @@ +From a15dd2086e778a124a6dcc86c993394b17d3fe08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 14:57:18 +0300 +Subject: net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure + +From: Gal Pressman + +[ Upstream commit f5826c8c9d57210a17031af5527056eefdc2b7eb ] + +The ioctl EEPROM query wrongly returns success on read failures, fix +that by returning the appropriate error code. + +Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/eeprom ethtool support") +Signed-off-by: Gal Pressman +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20220606115718.14233-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index 01275c376721..962851000ace 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -2099,7 +2099,7 @@ static int mlx4_en_get_module_eeprom(struct net_device *dev, + en_err(priv, + "mlx4_get_module_info i(%d) offset(%d) bytes_to_read(%d) - FAILED (0x%x)\n", + i, offset, ee->len - i, ret); +- return 0; ++ return ret; + } + + i += ret; +-- +2.35.1 + diff --git a/queue-5.10/net-mlx5-fs-fail-conflicting-actions.patch b/queue-5.10/net-mlx5-fs-fail-conflicting-actions.patch new file mode 100644 index 00000000000..55e1708ab29 --- /dev/null +++ b/queue-5.10/net-mlx5-fs-fail-conflicting-actions.patch @@ -0,0 +1,91 @@ +From bd3490fb5da43725a032ae8cd191d9cc685da7d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 10:46:59 +0300 +Subject: net/mlx5: fs, fail conflicting actions + +From: Mark Bloch + +[ Upstream commit 8fa5e7b20e01042b14f8cd684d2da9b638460c74 ] + +When combining two steering rules into one check +not only do they share the same actions but those +actions are also the same. This resolves an issue where +when creating two different rules with the same match +the actions are overwritten and one of the rules is deleted +a FW syndrome can be seen in dmesg. + +mlx5_core 0000:03:00.0: mlx5_cmd_check:819:(pid 2105): DEALLOC_MODIFY_HEADER_CONTEXT(0x941) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0x1ab444) + +Fixes: 0d235c3fabb7 ("net/mlx5: Add hash table to search FTEs in a flow-group") +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/fs_core.c | 35 +++++++++++++++++-- + 1 file changed, 32 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 15472fb15d7d..4bdcceffe9d3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1520,9 +1520,22 @@ static struct mlx5_flow_rule *find_flow_rule(struct fs_fte *fte, + return NULL; + } + +-static bool check_conflicting_actions(u32 action1, u32 action2) ++static bool check_conflicting_actions_vlan(const struct mlx5_fs_vlan *vlan0, ++ const struct mlx5_fs_vlan *vlan1) + { +- u32 xored_actions = action1 ^ action2; ++ return vlan0->ethtype != vlan1->ethtype || ++ vlan0->vid != vlan1->vid || ++ vlan0->prio != vlan1->prio; ++} ++ ++static bool check_conflicting_actions(const struct mlx5_flow_act *act1, ++ const struct mlx5_flow_act *act2) ++{ ++ u32 action1 = act1->action; ++ u32 action2 = act2->action; ++ u32 xored_actions; ++ ++ xored_actions = action1 ^ action2; + + /* if one rule only wants to count, it's ok */ + if (action1 == MLX5_FLOW_CONTEXT_ACTION_COUNT || +@@ -1539,6 +1552,22 @@ static bool check_conflicting_actions(u32 action1, u32 action2) + MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH_2)) + return true; + ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT && ++ act1->pkt_reformat != act2->pkt_reformat) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR && ++ act1->modify_hdr != act2->modify_hdr) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH && ++ check_conflicting_actions_vlan(&act1->vlan[0], &act2->vlan[0])) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH_2 && ++ check_conflicting_actions_vlan(&act1->vlan[1], &act2->vlan[1])) ++ return true; ++ + return false; + } + +@@ -1546,7 +1575,7 @@ static int check_conflicting_ftes(struct fs_fte *fte, + const struct mlx5_flow_context *flow_context, + const struct mlx5_flow_act *flow_act) + { +- if (check_conflicting_actions(flow_act->action, fte->action.action)) { ++ if (check_conflicting_actions(flow_act, &fte->action)) { + mlx5_core_warn(get_dev(&fte->node), + "Found two FTEs with conflicting actions\n"); + return -EEXIST; +-- +2.35.1 + diff --git a/queue-5.10/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch b/queue-5.10/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch new file mode 100644 index 00000000000..9bfc36082a1 --- /dev/null +++ b/queue-5.10/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch @@ -0,0 +1,59 @@ +From 8f5a655217fb28a93b69348dd9521c0001b55325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 21:47:48 +0200 +Subject: net/mlx5: Rearm the FW tracer after each tracer event + +From: Feras Daoud + +[ Upstream commit 8bf94e6414c9481bfa28269022688ab445d0081d ] + +The current design does not arm the tracer if traces are available before +the tracer string database is fully loaded, leading to an unfunctional tracer. +This fix will rearm the tracer every time the FW triggers tracer event +regardless of the tracer strings database status. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Signed-off-by: Feras Daoud +Signed-off-by: Roy Novich +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index 857be86b4a11..e8a4adccd2b2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -675,6 +675,9 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + if (!tracer->owner) + return; + ++ if (unlikely(!tracer->str_db.loaded)) ++ goto arm; ++ + block_count = tracer->buff.size / TRACER_BLOCK_SIZE_BYTE; + start_offset = tracer->buff.consumer_index * TRACER_BLOCK_SIZE_BYTE; + +@@ -732,6 +735,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + &tmp_trace_block[TRACES_PER_BLOCK - 1]); + } + ++arm: + mlx5_fw_tracer_arm(dev); + } + +@@ -1138,8 +1142,7 @@ static int fw_tracer_event(struct notifier_block *nb, unsigned long action, void + queue_work(tracer->work_queue, &tracer->ownership_change_work); + break; + case MLX5_TRACER_SUBTYPE_TRACES_AVAILABLE: +- if (likely(tracer->str_db.loaded)) +- queue_work(tracer->work_queue, &tracer->handle_traces_work); ++ queue_work(tracer->work_queue, &tracer->handle_traces_work); + break; + default: + mlx5_core_dbg(dev, "FWTracer: Event with unrecognized subtype: sub_type %d\n", +-- +2.35.1 + diff --git a/queue-5.10/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch b/queue-5.10/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch new file mode 100644 index 00000000000..3dc2fdd4c79 --- /dev/null +++ b/queue-5.10/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch @@ -0,0 +1,50 @@ +From 3b5ac618139d548878c35cd8a0824ee0a9953935 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:54 +0900 +Subject: net: xfrm: unexport __init-annotated xfrm4_protocol_init() + +From: Masahiro Yamada + +[ Upstream commit 4a388f08d8784af48f352193d2b72aaf167a57a1 ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the only in-tree call-site, +net/ipv4/xfrm4_policy.c is never compiled as modular. +(CONFIG_XFRM is boolean) + +Fixes: 2f32b51b609f ("xfrm: Introduce xfrm_input_afinfo to access the the callbacks properly") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Acked-by: Steffen Klassert +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/xfrm4_protocol.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv4/xfrm4_protocol.c b/net/ipv4/xfrm4_protocol.c +index ea595c8549c7..cfd46222ef91 100644 +--- a/net/ipv4/xfrm4_protocol.c ++++ b/net/ipv4/xfrm4_protocol.c +@@ -307,4 +307,3 @@ void __init xfrm4_protocol_init(void) + { + xfrm_input_register_afinfo(&xfrm4_input_afinfo); + } +-EXPORT_SYMBOL(xfrm4_protocol_init); +-- +2.35.1 + diff --git a/queue-5.10/netfilter-nat-really-support-inet-nat-without-l3-add.patch b/queue-5.10/netfilter-nat-really-support-inet-nat-without-l3-add.patch new file mode 100644 index 00000000000..a3b19befcd0 --- /dev/null +++ b/queue-5.10/netfilter-nat-really-support-inet-nat-without-l3-add.patch @@ -0,0 +1,103 @@ +From caa16a45dd2d38a10e4849102e963e9eaec57dda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 10:47:35 +0200 +Subject: netfilter: nat: really support inet nat without l3 address + +From: Florian Westphal + +[ Upstream commit 282e5f8fe907dc3f2fbf9f2103b0e62ffc3a68a5 ] + +When no l3 address is given, priv->family is set to NFPROTO_INET and +the evaluation function isn't called. + +Call it too so l4-only rewrite can work. +Also add a test case for this. + +Fixes: a33f387ecd5aa ("netfilter: nft_nat: allow to specify layer 4 protocol NAT only") +Reported-by: Yi Chen +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_nat.c | 3 +- + tools/testing/selftests/netfilter/nft_nat.sh | 43 ++++++++++++++++++++ + 2 files changed, 45 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c +index ea53fd999f46..6a4a5ac88db7 100644 +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -341,7 +341,8 @@ static void nft_nat_inet_eval(const struct nft_expr *expr, + { + const struct nft_nat *priv = nft_expr_priv(expr); + +- if (priv->family == nft_pf(pkt)) ++ if (priv->family == nft_pf(pkt) || ++ priv->family == NFPROTO_INET) + nft_nat_eval(expr, regs, pkt); + } + +diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh +index d7e07f4c3d7f..4e15e8167310 100755 +--- a/tools/testing/selftests/netfilter/nft_nat.sh ++++ b/tools/testing/selftests/netfilter/nft_nat.sh +@@ -374,6 +374,45 @@ EOF + return $lret + } + ++test_local_dnat_portonly() ++{ ++ local family=$1 ++ local daddr=$2 ++ local lret=0 ++ local sr_s ++ local sr_r ++ ++ip netns exec "$ns0" nft -f /dev/stdin < +Date: Wed, 1 Jun 2022 17:49:36 +0200 +Subject: netfilter: nf_tables: always initialize flowtable hook list in + transaction + +From: Pablo Neira Ayuso + +[ Upstream commit 2c9e4559773c261900c674a86b8e455911675d71 ] + +The hook list is used if nft_trans_flowtable_update(trans) == true. However, +initialize this list for other cases for safety reasons. + +Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index a5779790e337..b90e45f1ffa0 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -481,6 +481,7 @@ static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, + if (msg_type == NFT_MSG_NEWFLOWTABLE) + nft_activate_next(ctx->net, flowtable); + ++ INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); + nft_trans_flowtable(trans) = flowtable; + list_add_tail(&trans->list, &ctx->net->nft.commit_list); + +-- +2.35.1 + diff --git a/queue-5.10/netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch b/queue-5.10/netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch new file mode 100644 index 00000000000..5cfc8b73673 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch @@ -0,0 +1,122 @@ +From 191b7d27dec536a4075425bbbc96cc9f05050703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 17:31:29 +0200 +Subject: netfilter: nf_tables: bail out early if hardware offload is not + supported + +From: Pablo Neira Ayuso + +[ Upstream commit 3a41c64d9c1185a2f3a184015e2a9b78bfc99c71 ] + +If user requests for NFT_CHAIN_HW_OFFLOAD, then check if either device +provides the .ndo_setup_tc interface or there is an indirect flow block +that has been registered. Otherwise, bail out early from the preparation +phase. Moreover, validate that family == NFPROTO_NETDEV and hook is +NF_NETDEV_INGRESS. + +Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/flow_offload.h | 1 + + include/net/netfilter/nf_tables_offload.h | 2 +- + net/core/flow_offload.c | 6 ++++++ + net/netfilter/nf_tables_api.c | 2 +- + net/netfilter/nf_tables_offload.c | 23 ++++++++++++++++++++++- + 5 files changed, 31 insertions(+), 3 deletions(-) + +diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h +index 010d58159887..9a58274e6217 100644 +--- a/include/net/flow_offload.h ++++ b/include/net/flow_offload.h +@@ -568,5 +568,6 @@ int flow_indr_dev_setup_offload(struct net_device *dev, struct Qdisc *sch, + enum tc_setup_type type, void *data, + struct flow_block_offload *bo, + void (*cleanup)(struct flow_block_cb *block_cb)); ++bool flow_indr_dev_exists(void); + + #endif /* _NET_FLOW_OFFLOAD_H */ +diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h +index 7a453a35a41d..1058f38e2aca 100644 +--- a/include/net/netfilter/nf_tables_offload.h ++++ b/include/net/netfilter/nf_tables_offload.h +@@ -91,7 +91,7 @@ int nft_flow_rule_offload_commit(struct net *net); + NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg) \ + memset(&(__reg)->mask, 0xff, (__reg)->len); + +-int nft_chain_offload_priority(struct nft_base_chain *basechain); ++bool nft_chain_offload_support(const struct nft_base_chain *basechain); + + int nft_offload_init(void); + void nft_offload_exit(void); +diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c +index e3f0d5906811..8d958290b7d2 100644 +--- a/net/core/flow_offload.c ++++ b/net/core/flow_offload.c +@@ -566,3 +566,9 @@ int flow_indr_dev_setup_offload(struct net_device *dev, struct Qdisc *sch, + return list_empty(&bo->cb_list) ? -EOPNOTSUPP : 0; + } + EXPORT_SYMBOL(flow_indr_dev_setup_offload); ++ ++bool flow_indr_dev_exists(void) ++{ ++ return !list_empty(&flow_block_indr_dev_list); ++} ++EXPORT_SYMBOL(flow_indr_dev_exists); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 8507c1bdd736..0c56a90c3f08 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1963,7 +1963,7 @@ static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, + chain->flags |= NFT_CHAIN_BASE | flags; + basechain->policy = NF_ACCEPT; + if (chain->flags & NFT_CHAIN_HW_OFFLOAD && +- nft_chain_offload_priority(basechain) < 0) ++ !nft_chain_offload_support(basechain)) + return -EOPNOTSUPP; + + flow_block_init(&basechain->flow_block); +diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c +index 839fd09f1bb4..4e99b1731b3f 100644 +--- a/net/netfilter/nf_tables_offload.c ++++ b/net/netfilter/nf_tables_offload.c +@@ -208,7 +208,7 @@ static int nft_setup_cb_call(enum tc_setup_type type, void *type_data, + return 0; + } + +-int nft_chain_offload_priority(struct nft_base_chain *basechain) ++static int nft_chain_offload_priority(const struct nft_base_chain *basechain) + { + if (basechain->ops.priority <= 0 || + basechain->ops.priority > USHRT_MAX) +@@ -217,6 +217,27 @@ int nft_chain_offload_priority(struct nft_base_chain *basechain) + return 0; + } + ++bool nft_chain_offload_support(const struct nft_base_chain *basechain) ++{ ++ struct net_device *dev; ++ struct nft_hook *hook; ++ ++ if (nft_chain_offload_priority(basechain) < 0) ++ return false; ++ ++ list_for_each_entry(hook, &basechain->hook_list, list) { ++ if (hook->ops.pf != NFPROTO_NETDEV || ++ hook->ops.hooknum != NF_NETDEV_INGRESS) ++ return false; ++ ++ dev = hook->ops.dev; ++ if (!dev->netdev_ops->ndo_setup_tc && !flow_indr_dev_exists()) ++ return false; ++ } ++ ++ return true; ++} ++ + static void nft_flow_cls_offload_setup(struct flow_cls_offload *cls_flow, + const struct nft_base_chain *basechain, + const struct nft_rule *rule, +-- +2.35.1 + diff --git a/queue-5.10/netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch b/queue-5.10/netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch new file mode 100644 index 00000000000..f1a1754bbab --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch @@ -0,0 +1,136 @@ +From 4bfa8aaf74a019398d5ce22128964b38178c82f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 18:40:06 +0200 +Subject: netfilter: nf_tables: delete flowtable hooks via transaction list + +From: Pablo Neira Ayuso + +[ Upstream commit b6d9014a3335194590abdd2a2471ef5147a67645 ] + +Remove inactive bool field in nft_hook object that was introduced in +abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable"). +Move stale flowtable hooks to transaction list instead. + +Deleting twice the same device does not result in ENOENT. + +Fixes: abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 1 - + net/netfilter/nf_tables_api.c | 31 ++++++------------------------- + 2 files changed, 6 insertions(+), 26 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 76bfb6cd5815..b7907385a02f 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1013,7 +1013,6 @@ struct nft_stats { + + struct nft_hook { + struct list_head list; +- bool inactive; + struct nf_hook_ops ops; + struct rcu_head rcu; + }; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index ea162e36e0e4..a5779790e337 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1733,7 +1733,6 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, + goto err_hook_dev; + } + hook->ops.dev = dev; +- hook->inactive = false; + + return hook; + +@@ -6880,6 +6879,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + { + const struct nlattr * const *nla = ctx->nla; + struct nft_flowtable_hook flowtable_hook; ++ LIST_HEAD(flowtable_del_list); + struct nft_hook *this, *hook; + struct nft_trans *trans; + int err; +@@ -6895,7 +6895,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + err = -ENOENT; + goto err_flowtable_del_hook; + } +- hook->inactive = true; ++ list_move(&hook->list, &flowtable_del_list); + } + + trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, +@@ -6908,6 +6908,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + nft_trans_flowtable(trans) = flowtable; + nft_trans_flowtable_update(trans) = true; + INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); ++ list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans)); + nft_flowtable_hook_release(&flowtable_hook); + + list_add_tail(&trans->list, &ctx->net->nft.commit_list); +@@ -6915,13 +6916,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + return 0; + + err_flowtable_del_hook: +- list_for_each_entry(this, &flowtable_hook.list, list) { +- hook = nft_hook_list_find(&flowtable->hook_list, this); +- if (!hook) +- break; +- +- hook->inactive = false; +- } ++ list_splice(&flowtable_del_list, &flowtable->hook_list); + nft_flowtable_hook_release(&flowtable_hook); + + return err; +@@ -7771,17 +7766,6 @@ void nft_chain_del(struct nft_chain *chain) + list_del_rcu(&chain->list); + } + +-static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable, +- struct list_head *hook_list) +-{ +- struct nft_hook *hook, *next; +- +- list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { +- if (hook->inactive) +- list_move(&hook->list, hook_list); +- } +-} +- + static void nf_tables_module_autoload_cleanup(struct net *net) + { + struct nft_module_request *req, *next; +@@ -8045,8 +8029,6 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + break; + case NFT_MSG_DELFLOWTABLE: + if (nft_trans_flowtable_update(trans)) { +- nft_flowtable_hooks_del(nft_trans_flowtable(trans), +- &nft_trans_flowtable_hooks(trans)); + nf_tables_flowtable_notify(&trans->ctx, + nft_trans_flowtable(trans), + &nft_trans_flowtable_hooks(trans), +@@ -8124,7 +8106,6 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + { + struct nft_trans *trans, *next; + struct nft_trans_elem *te; +- struct nft_hook *hook; + + if (action == NFNL_ABORT_VALIDATE && + nf_tables_validate(net) < 0) +@@ -8242,8 +8223,8 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + break; + case NFT_MSG_DELFLOWTABLE: + if (nft_trans_flowtable_update(trans)) { +- list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list) +- hook->inactive = false; ++ list_splice(&nft_trans_flowtable_hooks(trans), ++ &nft_trans_flowtable(trans)->hook_list); + } else { + trans->ctx.table->use++; + nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); +-- +2.35.1 + diff --git a/queue-5.10/netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch b/queue-5.10/netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch new file mode 100644 index 00000000000..88329d12513 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch @@ -0,0 +1,46 @@ +From 7c5bad1c5775f99d1273d4a16336792d77b42eb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 17:15:57 +0200 +Subject: netfilter: nf_tables: memleak flow rule from commit path + +From: Pablo Neira Ayuso + +[ Upstream commit 9dd732e0bdf538b1b76dc7c157e2b5e560ff30d3 ] + +Abort path release flow rule object, however, commit path does not. +Update code to destroy these objects before releasing the transaction. + +Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 2872722488c9..8507c1bdd736 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7587,6 +7587,9 @@ static void nft_commit_release(struct nft_trans *trans) + nf_tables_chain_destroy(&trans->ctx); + break; + case NFT_MSG_DELRULE: ++ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) ++ nft_flow_rule_destroy(nft_trans_flow_rule(trans)); ++ + nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); + break; + case NFT_MSG_DELSET: +@@ -7946,6 +7949,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + nf_tables_rule_notify(&trans->ctx, + nft_trans_rule(trans), + NFT_MSG_NEWRULE); ++ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) ++ nft_flow_rule_destroy(nft_trans_flow_rule(trans)); ++ + nft_trans_destroy(trans); + break; + case NFT_MSG_DELRULE: +-- +2.35.1 + diff --git a/queue-5.10/netfilter-nf_tables-release-new-hooks-on-unsupported.patch b/queue-5.10/netfilter-nf_tables-release-new-hooks-on-unsupported.patch new file mode 100644 index 00000000000..e62dbcccb09 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-release-new-hooks-on-unsupported.patch @@ -0,0 +1,47 @@ +From 2847305f95788ce0f64fdb2f7e1011685f3f821a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 13:40:06 +0200 +Subject: netfilter: nf_tables: release new hooks on unsupported flowtable + flags + +From: Pablo Neira Ayuso + +[ Upstream commit c271cc9febaaa1bcbc0842d1ee30466aa6148ea8 ] + +Release the list of new hooks that are pending to be registered in case +that unsupported flowtable flags are provided. + +Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b90e45f1ffa0..2872722488c9 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6694,11 +6694,15 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + + if (nla[NFTA_FLOWTABLE_FLAGS]) { + flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); +- if (flags & ~NFT_FLOWTABLE_MASK) +- return -EOPNOTSUPP; ++ if (flags & ~NFT_FLOWTABLE_MASK) { ++ err = -EOPNOTSUPP; ++ goto err_flowtable_update_hook; ++ } + if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ +- (flags & NFT_FLOWTABLE_HW_OFFLOAD)) +- return -EOPNOTSUPP; ++ (flags & NFT_FLOWTABLE_HW_OFFLOAD)) { ++ err = -EOPNOTSUPP; ++ goto err_flowtable_update_hook; ++ } + } else { + flags = flowtable->data.flags; + } +-- +2.35.1 + diff --git a/queue-5.10/powerpc-kasan-force-thread-size-increase-with-kasan.patch b/queue-5.10/powerpc-kasan-force-thread-size-increase-with-kasan.patch new file mode 100644 index 00000000000..cf833f371f5 --- /dev/null +++ b/queue-5.10/powerpc-kasan-force-thread-size-increase-with-kasan.patch @@ -0,0 +1,71 @@ +From ff5f030ed094e6189eb0675e3c4d8282a88f04b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 00:31:14 +1000 +Subject: powerpc/kasan: Force thread size increase with KASAN + +From: Michael Ellerman + +[ Upstream commit 3e8635fb2e072672cbc650989ffedf8300ad67fb ] + +KASAN causes increased stack usage, which can lead to stack overflows. + +The logic in Kconfig to suggest a larger default doesn't work if a user +has CONFIG_EXPERT enabled and has an existing .config with a smaller +value. + +Follow the lead of x86 and arm64, and force the thread size to be +increased when KASAN is enabled. + +That also has the effect of enlarging the stack for 64-bit KASAN builds, +which is also desirable. + +Fixes: edbadaf06710 ("powerpc/kasan: Fix stack overflow by increasing THREAD_SHIFT") +Reported-by: Erhard Furtner +Reported-by: Christophe Leroy +[mpe: Use MIN_THREAD_SHIFT as suggested by Christophe] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220601143114.133524-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 1 - + arch/powerpc/include/asm/thread_info.h | 10 ++++++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index 5afa0ebd78ca..78dd6be8b31d 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -786,7 +786,6 @@ config THREAD_SHIFT + range 13 15 + default "15" if PPC_256K_PAGES + default "14" if PPC64 +- default "14" if KASAN + default "13" + help + Used to define the stack size. The default is almost always what you +diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h +index 46a210b03d2b..6de3517bea94 100644 +--- a/arch/powerpc/include/asm/thread_info.h ++++ b/arch/powerpc/include/asm/thread_info.h +@@ -14,10 +14,16 @@ + + #ifdef __KERNEL__ + +-#if defined(CONFIG_VMAP_STACK) && CONFIG_THREAD_SHIFT < PAGE_SHIFT ++#ifdef CONFIG_KASAN ++#define MIN_THREAD_SHIFT (CONFIG_THREAD_SHIFT + 1) ++#else ++#define MIN_THREAD_SHIFT CONFIG_THREAD_SHIFT ++#endif ++ ++#if defined(CONFIG_VMAP_STACK) && MIN_THREAD_SHIFT < PAGE_SHIFT + #define THREAD_SHIFT PAGE_SHIFT + #else +-#define THREAD_SHIFT CONFIG_THREAD_SHIFT ++#define THREAD_SHIFT MIN_THREAD_SHIFT + #endif + + #define THREAD_SIZE (1 << THREAD_SHIFT) +-- +2.35.1 + diff --git a/queue-5.10/series b/queue-5.10/series index 94b1fad5465..825d50852f3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -89,3 +89,25 @@ nfsv4-don-t-hold-the-layoutget-locks-across-multiple.patch video-fbdev-hyperv_fb-allow-resolutions-with-size-64.patch video-fbdev-pxa3xx-gcu-release-the-resources-correct.patch xprtrdma-treat-all-calls-not-a-bcall-when-bc_serv-is.patch +netfilter-nat-really-support-inet-nat-without-l3-add.patch +netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch +powerpc-kasan-force-thread-size-increase-with-kasan.patch +netfilter-nf_tables-always-initialize-flowtable-hook.patch +ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch +netfilter-nf_tables-release-new-hooks-on-unsupported.patch +netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch +netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch +xen-unexport-__init-annotated-xen_xlate_map_balloone.patch +af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch +bpf-arm64-clear-prog-jited_len-along-prog-jited.patch +net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch +net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch +sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch +net-mdio-unexport-__init-annotated-mdio_bus_init.patch +net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch +net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch +net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch +net-mlx5-fs-fail-conflicting-actions.patch +ip_gre-test-csum_start-instead-of-transport-header.patch +net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch +drm-imx-fix-compiler-warning-with-gcc-12.patch diff --git a/queue-5.10/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch b/queue-5.10/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch new file mode 100644 index 00000000000..70ea38bce47 --- /dev/null +++ b/queue-5.10/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch @@ -0,0 +1,49 @@ +From d94453e4adbc0405649a6711bff4d78a40a8377e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 16:47:52 -0400 +Subject: SUNRPC: Fix the calculation of xdr->end in + xdr_get_next_encode_buffer() + +From: Chuck Lever + +[ Upstream commit 6c254bf3b637dd4ef4f78eb78c7447419c0161d7 ] + +I found that NFSD's new NFSv3 READDIRPLUS XDR encoder was screwing up +right at the end of the page array. xdr_get_next_encode_buffer() does +not compute the value of xdr->end correctly: + + * The check to see if we're on the final available page in xdr->buf + needs to account for the space consumed by @nbytes. + + * The new xdr->end value needs to account for the portion of @nbytes + that is to be encoded into the previous buffer. + +Fixes: 2825a7f90753 ("nfsd4: allow encoding across page boundaries") +Signed-off-by: Chuck Lever +Reviewed-by: NeilBrown +Reviewed-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/xdr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c +index 71e03b930b70..c8ed6d3d5762 100644 +--- a/net/sunrpc/xdr.c ++++ b/net/sunrpc/xdr.c +@@ -752,7 +752,11 @@ static __be32 *xdr_get_next_encode_buffer(struct xdr_stream *xdr, + */ + xdr->p = (void *)p + frag2bytes; + space_left = xdr->buf->buflen - xdr->buf->len; +- xdr->end = (void *)p + min_t(int, space_left, PAGE_SIZE); ++ if (space_left - nbytes >= PAGE_SIZE) ++ xdr->end = (void *)p + PAGE_SIZE; ++ else ++ xdr->end = (void *)p + space_left - frag1bytes; ++ + xdr->buf->page_len += frag2bytes; + xdr->buf->len += nbytes; + return p; +-- +2.35.1 + diff --git a/queue-5.10/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch b/queue-5.10/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch new file mode 100644 index 00000000000..aec550b0434 --- /dev/null +++ b/queue-5.10/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch @@ -0,0 +1,55 @@ +From 6da1287fe0cea6536c4cdcdd83baef3d82393c91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:59:20 +0900 +Subject: xen: unexport __init-annotated xen_xlate_map_ballooned_pages() + +From: Masahiro Yamada + +[ Upstream commit dbac14a5a05ff8e1ce7c0da0e1f520ce39ec62ea ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because none of the in-tree call-sites +(arch/arm/xen/enlighten.c, arch/x86/xen/grant-table.c) is compiled as +modular. + +Fixes: 243848fc018c ("xen/grant-table: Move xlated_setup_gnttab_pages to common place") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Reviewed-by: Oleksandr Tyshchenko +Acked-by: Stefano Stabellini +Link: https://lore.kernel.org/r/20220606045920.4161881-1-masahiroy@kernel.org +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/xlate_mmu.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/xen/xlate_mmu.c b/drivers/xen/xlate_mmu.c +index 34742c6e189e..f17c4c03db30 100644 +--- a/drivers/xen/xlate_mmu.c ++++ b/drivers/xen/xlate_mmu.c +@@ -261,7 +261,6 @@ int __init xen_xlate_map_ballooned_pages(xen_pfn_t **gfns, void **virt, + + return 0; + } +-EXPORT_SYMBOL_GPL(xen_xlate_map_ballooned_pages); + + struct remap_pfn { + struct mm_struct *mm; +-- +2.35.1 +