From: Sasha Levin Date: Fri, 20 Dec 2024 14:39:02 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v6.1.122~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa1dea861cba1d12850fe0707113a2a2b22446d1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/ionic-use-ee-offset-when-returning-sprom-data.patch b/queue-5.4/ionic-use-ee-offset-when-returning-sprom-data.patch new file mode 100644 index 00000000000..00e39da5fb9 --- /dev/null +++ b/queue-5.4/ionic-use-ee-offset-when-returning-sprom-data.patch @@ -0,0 +1,42 @@ +From 4e5e2a9f1bd02960895ff6f911f9c5051567350a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 13:31:57 -0800 +Subject: ionic: use ee->offset when returning sprom data + +From: Shannon Nelson + +[ Upstream commit b096d62ba1323391b2db98b7704e2468cf3b1588 ] + +Some calls into ionic_get_module_eeprom() don't use a single +full buffer size, but instead multiple calls with an offset. +Teach our driver to use the offset correctly so we can +respond appropriately to the caller. + +Fixes: 4d03e00a2140 ("ionic: Add initial ethtool support") +Signed-off-by: Shannon Nelson +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20241212213157.12212-4-shannon.nelson@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c +index c53d2271d8ab..dd4b89c90d67 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c +@@ -711,8 +711,8 @@ static int ionic_get_module_eeprom(struct net_device *netdev, + len = min_t(u32, sizeof(xcvr->sprom), ee->len); + + do { +- memcpy(data, xcvr->sprom, len); +- memcpy(tbuf, xcvr->sprom, len); ++ memcpy(data, &xcvr->sprom[ee->offset], len); ++ memcpy(tbuf, &xcvr->sprom[ee->offset], len); + + /* Let's make sure we got a consistent copy */ + if (!memcmp(data, tbuf, len)) +-- +2.39.5 + diff --git a/queue-5.4/net-ethernet-bgmac-platform-fix-an-of-node-reference.patch b/queue-5.4/net-ethernet-bgmac-platform-fix-an-of-node-reference.patch new file mode 100644 index 00000000000..08508de702f --- /dev/null +++ b/queue-5.4/net-ethernet-bgmac-platform-fix-an-of-node-reference.patch @@ -0,0 +1,51 @@ +From 29fe487c5e2a78e737473c2ea7d2638ded5bd7bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Dec 2024 10:49:12 +0900 +Subject: net: ethernet: bgmac-platform: fix an OF node reference leak + +From: Joe Hattori + +[ Upstream commit 0cb2c504d79e7caa3abade3f466750c82ad26f01 ] + +The OF node obtained by of_parse_phandle() is not freed. Call +of_node_put() to balance the refcount. + +This bug was found by an experimental static analysis tool that I am +developing. + +Fixes: 1676aba5ef7e ("net: ethernet: bgmac: device tree phy enablement") +Signed-off-by: Joe Hattori +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241214014912.2810315-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bgmac-platform.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bgmac-platform.c b/drivers/net/ethernet/broadcom/bgmac-platform.c +index c46c1b1416f7..cdbd9ef85981 100644 +--- a/drivers/net/ethernet/broadcom/bgmac-platform.c ++++ b/drivers/net/ethernet/broadcom/bgmac-platform.c +@@ -171,6 +171,7 @@ static int platform_phy_connect(struct bgmac *bgmac) + static int bgmac_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; ++ struct device_node *phy_node; + struct bgmac *bgmac; + struct resource *regs; + const u8 *mac_addr; +@@ -237,7 +238,9 @@ static int bgmac_probe(struct platform_device *pdev) + bgmac->cco_ctl_maskset = platform_bgmac_cco_ctl_maskset; + bgmac->get_bus_clock = platform_bgmac_get_bus_clock; + bgmac->cmn_maskset32 = platform_bgmac_cmn_maskset32; +- if (of_parse_phandle(np, "phy-handle", 0)) { ++ phy_node = of_parse_phandle(np, "phy-handle", 0); ++ if (phy_node) { ++ of_node_put(phy_node); + bgmac->phy_connect = platform_phy_connect; + } else { + bgmac->phy_connect = bgmac_phy_connect_direct; +-- +2.39.5 + diff --git a/queue-5.4/net-hinic-fix-cleanup-in-create_rxqs-txqs.patch b/queue-5.4/net-hinic-fix-cleanup-in-create_rxqs-txqs.patch new file mode 100644 index 00000000000..d419921e5e5 --- /dev/null +++ b/queue-5.4/net-hinic-fix-cleanup-in-create_rxqs-txqs.patch @@ -0,0 +1,54 @@ +From 1a491e6d6ee71840703b72c9b91dea092fc19bff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 17:28:11 +0300 +Subject: net: hinic: Fix cleanup in create_rxqs/txqs() + +From: Dan Carpenter + +[ Upstream commit 7203d10e93b6e6e1d19481ef7907de6a9133a467 ] + +There is a check for NULL at the start of create_txqs() and +create_rxqs() which tess if "nic_dev->txqs" is non-NULL. The +intention is that if the device is already open and the queues +are already created then we don't create them a second time. + +However, the bug is that if we have an error in the create_txqs() +then the pointer doesn't get set back to NULL. The NULL check +at the start of the function will say that it's already open when +it's not and the device can't be used. + +Set ->txqs back to NULL on cleanup on error. + +Fixes: c3e79baf1b03 ("net-next/hinic: Add logical Txq and Rxq") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/0cc98faf-a0ed-4565-a55b-0fa2734bc205@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/huawei/hinic/hinic_main.c b/drivers/net/ethernet/huawei/hinic/hinic_main.c +index 3f739ce40201..4361e56d7dd3 100644 +--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c ++++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c +@@ -161,6 +161,7 @@ static int create_txqs(struct hinic_dev *nic_dev) + hinic_clean_txq(&nic_dev->txqs[j]); + + devm_kfree(&netdev->dev, nic_dev->txqs); ++ nic_dev->txqs = NULL; + return err; + } + +@@ -221,6 +222,7 @@ static int create_rxqs(struct hinic_dev *nic_dev) + hinic_clean_rxq(&nic_dev->rxqs[j]); + + devm_kfree(&netdev->dev, nic_dev->rxqs); ++ nic_dev->rxqs = NULL; + return err; + } + +-- +2.39.5 + diff --git a/queue-5.4/net-smc-check-sndbuf_space-again-after-nospace-flag-.patch b/queue-5.4/net-smc-check-sndbuf_space-again-after-nospace-flag-.patch new file mode 100644 index 00000000000..6a5306db0a8 --- /dev/null +++ b/queue-5.4/net-smc-check-sndbuf_space-again-after-nospace-flag-.patch @@ -0,0 +1,63 @@ +From 5b35b5cfd6609ea670f2b5ee66395ad6162ce88d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:17 +0800 +Subject: net/smc: check sndbuf_space again after NOSPACE flag is set in + smc_poll + +From: Guangguan Wang + +[ Upstream commit 679e9ddcf90dbdf98aaaa71a492454654b627bcb ] + +When application sending data more than sndbuf_space, there have chances +application will sleep in epoll_wait, and will never be wakeup again. This +is caused by a race between smc_poll and smc_cdc_tx_handler. + +application tasklet +smc_tx_sendmsg(len > sndbuf_space) | +epoll_wait for EPOLL_OUT,timeout=0 | + smc_poll | + if (!smc->conn.sndbuf_space) | + | smc_cdc_tx_handler + | atomic_add sndbuf_space + | smc_tx_sndbuf_nonfull + | if (!test_bit SOCK_NOSPACE) + | do not sk_write_space; + set_bit SOCK_NOSPACE; | + return mask=0; | + +Application will sleep in epoll_wait as smc_poll returns 0. And +smc_cdc_tx_handler will not call sk_write_space because the SOCK_NOSPACE +has not be set. If there is no inflight cdc msg, sk_write_space will not be +called any more, and application will sleep in epoll_wait forever. +So check sndbuf_space again after NOSPACE flag is set to break the race. + +Fixes: 8dce2786a290 ("net/smc: smc_poll improvements") +Signed-off-by: Guangguan Wang +Suggested-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index e070b0e2a30c..1373a0082b5a 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1660,6 +1660,13 @@ static __poll_t smc_poll(struct file *file, struct socket *sock, + } else { + sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk); + set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); ++ ++ if (sk->sk_state != SMC_INIT) { ++ /* Race breaker the same way as tcp_poll(). */ ++ smp_mb__after_atomic(); ++ if (atomic_read(&smc->conn.sndbuf_space)) ++ mask |= EPOLLOUT | EPOLLWRNORM; ++ } + } + if (atomic_read(&smc->conn.bytes_to_rcv)) + mask |= EPOLLIN | EPOLLRDNORM; +-- +2.39.5 + diff --git a/queue-5.4/netfilter-ipset-fix-for-recursive-locking-warning.patch b/queue-5.4/netfilter-ipset-fix-for-recursive-locking-warning.patch new file mode 100644 index 00000000000..2ce085e5c24 --- /dev/null +++ b/queue-5.4/netfilter-ipset-fix-for-recursive-locking-warning.patch @@ -0,0 +1,62 @@ +From 66e9b3635f67d80f1dbb7267f726d853d21d6e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 20:56:55 +0100 +Subject: netfilter: ipset: Fix for recursive locking warning + +From: Phil Sutter + +[ Upstream commit 70b6f46a4ed8bd56c85ffff22df91e20e8c85e33 ] + +With CONFIG_PROVE_LOCKING, when creating a set of type bitmap:ip, adding +it to a set of type list:set and populating it from iptables SET target +triggers a kernel warning: + +| WARNING: possible recursive locking detected +| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted +| -------------------------------------------- +| ping/4018 is trying to acquire lock: +| ffff8881094a6848 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set] +| +| but task is already holding lock: +| ffff88811034c048 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set] + +This is a false alarm: ipset does not allow nested list:set type, so the +loop in list_set_kadd() can never encounter the outer set itself. No +other set type supports embedded sets, so this is the only case to +consider. + +To avoid the false report, create a distinct lock class for list:set +type ipset locks. + +Fixes: f830837f0eed ("netfilter: ipset: list:set set type support") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_list_set.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c +index c4aae8c586ac..b8b4beb2073e 100644 +--- a/net/netfilter/ipset/ip_set_list_set.c ++++ b/net/netfilter/ipset/ip_set_list_set.c +@@ -611,6 +611,8 @@ init_list_set(struct net *net, struct ip_set *set, u32 size) + return true; + } + ++static struct lock_class_key list_set_lockdep_key; ++ + static int + list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + u32 flags) +@@ -627,6 +629,7 @@ list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + if (size < IP_SET_LIST_MIN_SIZE) + size = IP_SET_LIST_MIN_SIZE; + ++ lockdep_set_class(&set->lock, &list_set_lockdep_key); + set->variant = &set_variant; + set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem), + __alignof__(struct set_elem)); +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 59cdcc31b41..875fa71c4d1 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -7,3 +7,8 @@ i2c-pnx-fix-timeout-in-wait-functions.patch drm-i915-fix-memory-leak-by-correcting-cache-object-.patch erofs-fix-order-max_order-warning-due-to-crafted-neg.patch erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch +net-smc-check-sndbuf_space-again-after-nospace-flag-.patch +ionic-use-ee-offset-when-returning-sprom-data.patch +net-hinic-fix-cleanup-in-create_rxqs-txqs.patch +net-ethernet-bgmac-platform-fix-an-of-node-reference.patch +netfilter-ipset-fix-for-recursive-locking-warning.patch