From: Greg Kroah-Hartman Date: Sat, 12 Aug 2023 18:20:11 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.14.323~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8d7817e923cd8cc5f29cd663d9ec37a780b1886b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch dccp-fix-data-race-around-dp-dccps_mss_cache.patch drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch ib-hfi1-fix-possible-panic-during-hotplug-remove.patch misdn-update-parameter-type-of-dsp_cmx_send.patch net-packet-annotate-data-races-around-tp-status.patch vlan-fix-vlan-0-memory-leak.patch wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch --- diff --git a/queue-4.19/bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch b/queue-4.19/bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch new file mode 100644 index 00000000000..1c2b25bbdef --- /dev/null +++ b/queue-4.19/bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch @@ -0,0 +1,82 @@ +From 01f4fd27087078c90a0e22860d1dfa2cd0510791 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Wed, 2 Aug 2023 19:43:20 +0800 +Subject: bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves + +From: Ziyang Xuan + +commit 01f4fd27087078c90a0e22860d1dfa2cd0510791 upstream. + +BUG_ON(!vlan_info) is triggered in unregister_vlan_dev() with +following testcase: + + # ip netns add ns1 + # ip netns exec ns1 ip link add bond0 type bond mode 0 + # ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2 + # ip netns exec ns1 ip link set bond_slave_1 master bond0 + # ip netns exec ns1 ip link add link bond_slave_1 name vlan10 type vlan id 10 protocol 802.1ad + # ip netns exec ns1 ip link add link bond0 name bond0_vlan10 type vlan id 10 protocol 802.1ad + # ip netns exec ns1 ip link set bond_slave_1 nomaster + # ip netns del ns1 + +The logical analysis of the problem is as follows: + +1. create ETH_P_8021AD protocol vlan10 for bond_slave_1: +register_vlan_dev() + vlan_vid_add() + vlan_info_alloc() + __vlan_vid_add() // add [ETH_P_8021AD, 10] vid to bond_slave_1 + +2. create ETH_P_8021AD protocol bond0_vlan10 for bond0: +register_vlan_dev() + vlan_vid_add() + __vlan_vid_add() + vlan_add_rx_filter_info() + if (!vlan_hw_filter_capable(dev, proto)) // condition established because bond0 without NETIF_F_HW_VLAN_STAG_FILTER + return 0; + + if (netif_device_present(dev)) + return dev->netdev_ops->ndo_vlan_rx_add_vid(dev, proto, vid); // will be never called + // The slaves of bond0 will not refer to the [ETH_P_8021AD, 10] vid. + +3. detach bond_slave_1 from bond0: +__bond_release_one() + vlan_vids_del_by_dev() + list_for_each_entry(vid_info, &vlan_info->vid_list, list) + vlan_vid_del(dev, vid_info->proto, vid_info->vid); + // bond_slave_1 [ETH_P_8021AD, 10] vid will be deleted. + // bond_slave_1->vlan_info will be assigned NULL. + +4. delete vlan10 during delete ns1: +default_device_exit_batch() + dev->rtnl_link_ops->dellink() // unregister_vlan_dev() for vlan10 + vlan_info = rtnl_dereference(real_dev->vlan_info); // real_dev of vlan10 is bond_slave_1 + BUG_ON(!vlan_info); // bond_slave_1->vlan_info is NULL now, bug is triggered!!! + +Add S-VLAN tag related features support to bond driver. So the bond driver +will always propagate the VLAN info to its slaves. + +Fixes: 8ad227ff89a7 ("net: vlan: add 802.1ad support") +Suggested-by: Ido Schimmel +Signed-off-by: Ziyang Xuan +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/20230802114320.4156068-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4395,7 +4395,9 @@ void bond_setup(struct net_device *bond_ + + bond_dev->hw_features = BOND_VLAN_FEATURES | + NETIF_F_HW_VLAN_CTAG_RX | +- NETIF_F_HW_VLAN_CTAG_FILTER; ++ NETIF_F_HW_VLAN_CTAG_FILTER | ++ NETIF_F_HW_VLAN_STAG_RX | ++ NETIF_F_HW_VLAN_STAG_FILTER; + + bond_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL | NETIF_F_GSO_UDP_L4; + bond_dev->features |= bond_dev->hw_features; diff --git a/queue-4.19/dccp-fix-data-race-around-dp-dccps_mss_cache.patch b/queue-4.19/dccp-fix-data-race-around-dp-dccps_mss_cache.patch new file mode 100644 index 00000000000..0a54e46f2b4 --- /dev/null +++ b/queue-4.19/dccp-fix-data-race-around-dp-dccps_mss_cache.patch @@ -0,0 +1,71 @@ +From a47e598fbd8617967e49d85c49c22f9fc642704c Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 3 Aug 2023 16:30:21 +0000 +Subject: dccp: fix data-race around dp->dccps_mss_cache + +From: Eric Dumazet + +commit a47e598fbd8617967e49d85c49c22f9fc642704c upstream. + +dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket. +Same thing in do_dccp_getsockopt(). + +Add READ_ONCE()/WRITE_ONCE() annotations, +and change dccp_sendmsg() to check again dccps_mss_cache +after socket is locked. + +Fixes: 7c657876b63c ("[DCCP]: Initial implementation") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230803163021.2958262-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/output.c | 2 +- + net/dccp/proto.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 3 deletions(-) + +--- a/net/dccp/output.c ++++ b/net/dccp/output.c +@@ -189,7 +189,7 @@ unsigned int dccp_sync_mss(struct sock * + + /* And store cached results */ + icsk->icsk_pmtu_cookie = pmtu; +- dp->dccps_mss_cache = cur_mps; ++ WRITE_ONCE(dp->dccps_mss_cache, cur_mps); + + return cur_mps; + } +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -648,7 +648,7 @@ static int do_dccp_getsockopt(struct soc + return dccp_getsockopt_service(sk, len, + (__be32 __user *)optval, optlen); + case DCCP_SOCKOPT_GET_CUR_MPS: +- val = dp->dccps_mss_cache; ++ val = READ_ONCE(dp->dccps_mss_cache); + break; + case DCCP_SOCKOPT_AVAILABLE_CCIDS: + return ccid_getsockopt_builtin_ccids(sk, len, optval, optlen); +@@ -770,7 +770,7 @@ int dccp_sendmsg(struct sock *sk, struct + + trace_dccp_probe(sk, len); + +- if (len > dp->dccps_mss_cache) ++ if (len > READ_ONCE(dp->dccps_mss_cache)) + return -EMSGSIZE; + + lock_sock(sk); +@@ -803,6 +803,12 @@ int dccp_sendmsg(struct sock *sk, struct + goto out_discard; + } + ++ /* We need to check dccps_mss_cache after socket is locked. */ ++ if (len > dp->dccps_mss_cache) { ++ rc = -EMSGSIZE; ++ goto out_discard; ++ } ++ + skb_reserve(skb, sk->sk_prot->max_header); + rc = memcpy_from_msg(skb_put(skb, len), msg, len); + if (rc != 0) diff --git a/queue-4.19/drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch b/queue-4.19/drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch new file mode 100644 index 00000000000..5c73a15858e --- /dev/null +++ b/queue-4.19/drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch @@ -0,0 +1,40 @@ +From 59eeb232940515590de513b997539ef495faca9a Mon Sep 17 00:00:00 2001 +From: Andrew Kanner +Date: Thu, 3 Aug 2023 20:59:48 +0200 +Subject: drivers: net: prevent tun_build_skb() to exceed the packet size limit + +From: Andrew Kanner + +commit 59eeb232940515590de513b997539ef495faca9a upstream. + +Using the syzkaller repro with reduced packet size it was discovered +that XDP_PACKET_HEADROOM is not checked in tun_can_build_skb(), +although pad may be incremented in tun_build_skb(). This may end up +with exceeding the PAGE_SIZE limit in tun_build_skb(). + +Jason Wang proposed to count XDP_PACKET_HEADROOM +always (e.g. without rcu_access_pointer(tun->xdp_prog)) in +tun_can_build_skb() since there's a window during which XDP program +might be attached between tun_can_build_skb() and tun_build_skb(). + +Fixes: 7df13219d757 ("tun: reserve extra headroom only when XDP is set") +Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a +Signed-off-by: Andrew Kanner +Link: https://lore.kernel.org/r/20230803185947.2379988-1-andrew.kanner@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1654,7 +1654,7 @@ static bool tun_can_build_skb(struct tun + if (zerocopy) + return false; + +- if (SKB_DATA_ALIGN(len + TUN_RX_PAD) + ++ if (SKB_DATA_ALIGN(len + TUN_RX_PAD + XDP_PACKET_HEADROOM) + + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE) + return false; + diff --git a/queue-4.19/ib-hfi1-fix-possible-panic-during-hotplug-remove.patch b/queue-4.19/ib-hfi1-fix-possible-panic-during-hotplug-remove.patch new file mode 100644 index 00000000000..01d1bdfcc87 --- /dev/null +++ b/queue-4.19/ib-hfi1-fix-possible-panic-during-hotplug-remove.patch @@ -0,0 +1,33 @@ +From 4fdfaef71fced490835145631a795497646f4555 Mon Sep 17 00:00:00 2001 +From: Douglas Miller +Date: Wed, 2 Aug 2023 13:32:41 -0400 +Subject: IB/hfi1: Fix possible panic during hotplug remove + +From: Douglas Miller + +commit 4fdfaef71fced490835145631a795497646f4555 upstream. + +During hotplug remove it is possible that the update counters work +might be pending, and may run after memory has been freed. +Cancel the update counters work before freeing memory. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Signed-off-by: Douglas Miller +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/169099756100.3927190.15284930454106475280.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/chip.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -12178,6 +12178,7 @@ static void free_cntrs(struct hfi1_devda + + if (dd->synth_stats_timer.function) + del_timer_sync(&dd->synth_stats_timer); ++ cancel_work_sync(&dd->update_cntr_work); + ppd = (struct hfi1_pportdata *)(dd + 1); + for (i = 0; i < dd->num_pports; i++, ppd++) { + kfree(ppd->cntrs); diff --git a/queue-4.19/misdn-update-parameter-type-of-dsp_cmx_send.patch b/queue-4.19/misdn-update-parameter-type-of-dsp_cmx_send.patch new file mode 100644 index 00000000000..a3294e37839 --- /dev/null +++ b/queue-4.19/misdn-update-parameter-type-of-dsp_cmx_send.patch @@ -0,0 +1,75 @@ +From 1696ec8654016dad3b1baf6c024303e584400453 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 2 Aug 2023 10:40:29 -0700 +Subject: mISDN: Update parameter type of dsp_cmx_send() + +From: Nathan Chancellor + +commit 1696ec8654016dad3b1baf6c024303e584400453 upstream. + +When booting a kernel with CONFIG_MISDN_DSP=y and CONFIG_CFI_CLANG=y, +there is a failure when dsp_cmx_send() is called indirectly from +call_timer_fn(): + + [ 0.371412] CFI failure at call_timer_fn+0x2f/0x150 (target: dsp_cmx_send+0x0/0x530; expected type: 0x92ada1e9) + +The function pointer prototype that call_timer_fn() expects is + + void (*fn)(struct timer_list *) + +whereas dsp_cmx_send() has a parameter type of 'void *', which causes +the control flow integrity checks to fail because the parameter types do +not match. + +Change dsp_cmx_send()'s parameter type to be 'struct timer_list' to +match the expected prototype. The argument is unused anyways, so this +has no functional change, aside from avoiding the CFI failure. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202308020936.58787e6c-oliver.sang@intel.com +Signed-off-by: Nathan Chancellor +Reviewed-by: Sami Tolvanen +Reviewed-by: Kees Cook +Fixes: e313ac12eb13 ("mISDN: Convert timers to use timer_setup()") +Link: https://lore.kernel.org/r/20230802-fix-dsp_cmx_send-cfi-failure-v1-1-2f2e79b0178d@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/mISDN/dsp.h | 2 +- + drivers/isdn/mISDN/dsp_cmx.c | 2 +- + drivers/isdn/mISDN/dsp_core.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/isdn/mISDN/dsp.h ++++ b/drivers/isdn/mISDN/dsp.h +@@ -247,7 +247,7 @@ extern void dsp_cmx_hardware(struct dsp_ + extern int dsp_cmx_conf(struct dsp *dsp, u32 conf_id); + extern void dsp_cmx_receive(struct dsp *dsp, struct sk_buff *skb); + extern void dsp_cmx_hdlc(struct dsp *dsp, struct sk_buff *skb); +-extern void dsp_cmx_send(void *arg); ++extern void dsp_cmx_send(struct timer_list *arg); + extern void dsp_cmx_transmit(struct dsp *dsp, struct sk_buff *skb); + extern int dsp_cmx_del_conf_member(struct dsp *dsp); + extern int dsp_cmx_del_conf(struct dsp_conf *conf); +--- a/drivers/isdn/mISDN/dsp_cmx.c ++++ b/drivers/isdn/mISDN/dsp_cmx.c +@@ -1625,7 +1625,7 @@ static u16 dsp_count; /* last sample cou + static int dsp_count_valid; /* if we have last sample count */ + + void +-dsp_cmx_send(void *arg) ++dsp_cmx_send(struct timer_list *arg) + { + struct dsp_conf *conf; + struct dsp_conf_member *member; +--- a/drivers/isdn/mISDN/dsp_core.c ++++ b/drivers/isdn/mISDN/dsp_core.c +@@ -1202,7 +1202,7 @@ static int __init dsp_init(void) + } + + /* set sample timer */ +- timer_setup(&dsp_spl_tl, (void *)dsp_cmx_send, 0); ++ timer_setup(&dsp_spl_tl, dsp_cmx_send, 0); + dsp_spl_tl.expires = jiffies + dsp_tics; + dsp_spl_jiffies = dsp_spl_tl.expires; + add_timer(&dsp_spl_tl); diff --git a/queue-4.19/net-packet-annotate-data-races-around-tp-status.patch b/queue-4.19/net-packet-annotate-data-races-around-tp-status.patch new file mode 100644 index 00000000000..40c243d0643 --- /dev/null +++ b/queue-4.19/net-packet-annotate-data-races-around-tp-status.patch @@ -0,0 +1,125 @@ +From 8a9896177784063d01068293caea3f74f6830ff6 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 3 Aug 2023 14:56:00 +0000 +Subject: net/packet: annotate data-races around tp->status + +From: Eric Dumazet + +commit 8a9896177784063d01068293caea3f74f6830ff6 upstream. + +Another syzbot report [1] is about tp->status lockless reads +from __packet_get_status() + +[1] +BUG: KCSAN: data-race in __packet_rcv_has_room / __packet_set_status + +write to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 0: +__packet_set_status+0x78/0xa0 net/packet/af_packet.c:407 +tpacket_rcv+0x18bb/0x1a60 net/packet/af_packet.c:2483 +deliver_skb net/core/dev.c:2173 [inline] +__netif_receive_skb_core+0x408/0x1e80 net/core/dev.c:5337 +__netif_receive_skb_one_core net/core/dev.c:5491 [inline] +__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +invoke_softirq kernel/softirq.c:445 [inline] +__irq_exit_rcu+0x57/0xa0 kernel/softirq.c:650 +sysvec_apic_timer_interrupt+0x6d/0x80 arch/x86/kernel/apic/apic.c:1106 +asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645 +smpboot_thread_fn+0x33c/0x4a0 kernel/smpboot.c:112 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +read to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 1: +__packet_get_status net/packet/af_packet.c:436 [inline] +packet_lookup_frame net/packet/af_packet.c:524 [inline] +__tpacket_has_room net/packet/af_packet.c:1255 [inline] +__packet_rcv_has_room+0x3f9/0x450 net/packet/af_packet.c:1298 +tpacket_rcv+0x275/0x1a60 net/packet/af_packet.c:2285 +deliver_skb net/core/dev.c:2173 [inline] +dev_queue_xmit_nit+0x38a/0x5e0 net/core/dev.c:2243 +xmit_one net/core/dev.c:3574 [inline] +dev_hard_start_xmit+0xcf/0x3f0 net/core/dev.c:3594 +__dev_queue_xmit+0xefb/0x1d10 net/core/dev.c:4244 +dev_queue_xmit include/linux/netdevice.h:3088 [inline] +can_send+0x4eb/0x5d0 net/can/af_can.c:276 +bcm_can_tx+0x314/0x410 net/can/bcm.c:302 +bcm_tx_timeout_handler+0xdb/0x260 +__run_hrtimer kernel/time/hrtimer.c:1685 [inline] +__hrtimer_run_queues+0x217/0x700 kernel/time/hrtimer.c:1749 +hrtimer_run_softirq+0xd6/0x120 kernel/time/hrtimer.c:1766 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:939 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x0000000000000000 -> 0x0000000020000081 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 6.4.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 + +Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230803145600.2937518-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -370,18 +370,20 @@ static void __packet_set_status(struct p + { + union tpacket_uhdr h; + ++ /* WRITE_ONCE() are paired with READ_ONCE() in __packet_get_status */ ++ + h.raw = frame; + switch (po->tp_version) { + case TPACKET_V1: +- h.h1->tp_status = status; ++ WRITE_ONCE(h.h1->tp_status, status); + flush_dcache_page(pgv_to_page(&h.h1->tp_status)); + break; + case TPACKET_V2: +- h.h2->tp_status = status; ++ WRITE_ONCE(h.h2->tp_status, status); + flush_dcache_page(pgv_to_page(&h.h2->tp_status)); + break; + case TPACKET_V3: +- h.h3->tp_status = status; ++ WRITE_ONCE(h.h3->tp_status, status); + flush_dcache_page(pgv_to_page(&h.h3->tp_status)); + break; + default: +@@ -398,17 +400,19 @@ static int __packet_get_status(struct pa + + smp_rmb(); + ++ /* READ_ONCE() are paired with WRITE_ONCE() in __packet_set_status */ ++ + h.raw = frame; + switch (po->tp_version) { + case TPACKET_V1: + flush_dcache_page(pgv_to_page(&h.h1->tp_status)); +- return h.h1->tp_status; ++ return READ_ONCE(h.h1->tp_status); + case TPACKET_V2: + flush_dcache_page(pgv_to_page(&h.h2->tp_status)); +- return h.h2->tp_status; ++ return READ_ONCE(h.h2->tp_status); + case TPACKET_V3: + flush_dcache_page(pgv_to_page(&h.h3->tp_status)); +- return h.h3->tp_status; ++ return READ_ONCE(h.h3->tp_status); + default: + WARN(1, "TPACKET version not supported.\n"); + BUG(); diff --git a/queue-4.19/series b/queue-4.19/series index fb1d538bb07..22b6cace8d4 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -13,3 +13,11 @@ x86-cpu-amd-enable-zenbleed-fix-for-amd-custom-apu-0405.patch x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch x86-move-gds_ucode_mitigated-declaration-to-header.patch drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch +misdn-update-parameter-type-of-dsp_cmx_send.patch +net-packet-annotate-data-races-around-tp-status.patch +vlan-fix-vlan-0-memory-leak.patch +bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch +dccp-fix-data-race-around-dp-dccps_mss_cache.patch +drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch +ib-hfi1-fix-possible-panic-during-hotplug-remove.patch +wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch diff --git a/queue-4.19/vlan-fix-vlan-0-memory-leak.patch b/queue-4.19/vlan-fix-vlan-0-memory-leak.patch new file mode 100644 index 00000000000..33fe742116a --- /dev/null +++ b/queue-4.19/vlan-fix-vlan-0-memory-leak.patch @@ -0,0 +1,90 @@ +From 718cb09aaa6fa78cc8124e9517efbc6c92665384 Mon Sep 17 00:00:00 2001 +From: Vlad Buslov +Date: Tue, 8 Aug 2023 11:35:21 +0200 +Subject: vlan: Fix VLAN 0 memory leak + +From: Vlad Buslov + +commit 718cb09aaa6fa78cc8124e9517efbc6c92665384 upstream. + +The referenced commit intended to fix memleak of VLAN 0 that is implicitly +created on devices with NETIF_F_HW_VLAN_CTAG_FILTER feature. However, it +doesn't take into account that the feature can be re-set during the +netdevice lifetime which will cause memory leak if feature is disabled +during the device deletion as illustrated by [0]. Fix the leak by +unconditionally deleting VLAN 0 on NETDEV_DOWN event. + +[0]: +> modprobe 8021q +> ip l set dev eth2 up +> ethtool -K eth2 rx-vlan-filter off +> modprobe -r mlx5_ib +> modprobe -r mlx5_core +> cat /sys/kernel/debug/kmemleak +unreferenced object 0xffff888103dcd900 (size 256): + comm "ip", pid 1490, jiffies 4294907305 (age 325.364s) + hex dump (first 32 bytes): + 00 80 5d 03 81 88 ff ff 00 00 00 00 00 00 00 00 ..]............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000899f3bb9>] kmalloc_trace+0x25/0x80 + [<000000002889a7a2>] vlan_vid_add+0xa0/0x210 + [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q] + [<000000009a0716b1>] notifier_call_chain+0x35/0xb0 + [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0 + [<0000000053d2b05d>] dev_change_flags+0x4d/0x60 + [<00000000982807e9>] do_setlink+0x28d/0x10a0 + [<0000000058c1be00>] __rtnl_newlink+0x545/0x980 + [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70 + [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390 + [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100 + [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0 + [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0 + [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60 + [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200 + [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0 +unreferenced object 0xffff88813354fde0 (size 32): + comm "ip", pid 1490, jiffies 4294907305 (age 325.364s) + hex dump (first 32 bytes): + a0 d9 dc 03 81 88 ff ff a0 d9 dc 03 81 88 ff ff ................ + 81 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000899f3bb9>] kmalloc_trace+0x25/0x80 + [<000000002da64724>] vlan_vid_add+0xdf/0x210 + [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q] + [<000000009a0716b1>] notifier_call_chain+0x35/0xb0 + [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0 + [<0000000053d2b05d>] dev_change_flags+0x4d/0x60 + [<00000000982807e9>] do_setlink+0x28d/0x10a0 + [<0000000058c1be00>] __rtnl_newlink+0x545/0x980 + [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70 + [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390 + [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100 + [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0 + [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0 + [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60 + [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200 + [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0 + +Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct") +Reviewed-by: Ido Schimmel +Signed-off-by: Vlad Buslov +Link: https://lore.kernel.org/r/20230808093521.1468929-1-vladbu@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -381,8 +381,7 @@ static int vlan_device_event(struct noti + dev->name); + vlan_vid_add(dev, htons(ETH_P_8021Q), 0); + } +- if (event == NETDEV_DOWN && +- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) ++ if (event == NETDEV_DOWN) + vlan_vid_del(dev, htons(ETH_P_8021Q), 0); + + vlan_info = rtnl_dereference(dev->vlan_info); diff --git a/queue-4.19/wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch b/queue-4.19/wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch new file mode 100644 index 00000000000..44d06ff8815 --- /dev/null +++ b/queue-4.19/wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch @@ -0,0 +1,33 @@ +From 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 22 Jun 2023 18:59:19 +0200 +Subject: wifi: cfg80211: fix sband iftype data lookup for AP_VLAN + +From: Felix Fietkau + +commit 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 upstream. + +AP_VLAN interfaces are virtual, so doesn't really exist as a type for +capabilities. When passed in as a type, AP is the one that's really intended. + +Fixes: c4cbaf7973a7 ("cfg80211: Add support for HE") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230622165919.46841-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + include/net/cfg80211.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -370,6 +370,9 @@ ieee80211_get_sband_iftype_data(const st + if (WARN_ON(iftype >= NL80211_IFTYPE_MAX)) + return NULL; + ++ if (iftype == NL80211_IFTYPE_AP_VLAN) ++ iftype = NL80211_IFTYPE_AP; ++ + for (i = 0; i < sband->n_iftype_data; i++) { + const struct ieee80211_sband_iftype_data *data = + &sband->iftype_data[i];