From: Greg Kroah-Hartman Date: Mon, 20 Jan 2025 13:42:54 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.6.73~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ca59a20e48db1dbba5ee86e980fda71c124f513a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch vsock-prevent-null-ptr-deref-in-vsock_.patch vsock-reset-socket-state-when-de-assigning-the-transport.patch vsock-virtio-cancel-close-work-in-the-destructor.patch --- diff --git a/queue-5.15/net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch b/queue-5.15/net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch new file mode 100644 index 0000000000..019e37f80c --- /dev/null +++ b/queue-5.15/net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch @@ -0,0 +1,93 @@ +From 6be7aca91009865d8c2b73589270224a6b6e67ab Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Sun, 12 Jan 2025 22:59:59 +0100 +Subject: net: ethernet: xgbe: re-add aneg to supported features in PHY quirks + +From: Heiner Kallweit + +commit 6be7aca91009865d8c2b73589270224a6b6e67ab upstream. + +In 4.19, before the switch to linkmode bitmaps, PHY_GBIT_FEATURES +included feature bits for aneg and TP/MII ports. + + SUPPORTED_TP | \ + SUPPORTED_MII) + + SUPPORTED_10baseT_Full) + + SUPPORTED_100baseT_Full) + + SUPPORTED_1000baseT_Full) + + PHY_100BT_FEATURES | \ + PHY_DEFAULT_FEATURES) + + PHY_1000BT_FEATURES) + +Referenced commit expanded PHY_GBIT_FEATURES, silently removing +PHY_DEFAULT_FEATURES. The removed part can be re-added by using +the new PHY_GBIT_FEATURES definition. +Not clear to me is why nobody seems to have noticed this issue. + +I stumbled across this when checking what it takes to make +phy_10_100_features_array et al private to phylib. + +Fixes: d0939c26c53a ("net: ethernet: xgbe: expand PHY_GBIT_FEAUTRES") +Cc: stable@vger.kernel.org +Signed-off-by: Heiner Kallweit +Link: https://patch.msgid.link/46521973-7738-4157-9f5e-0bb6f694acba@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -856,7 +856,6 @@ static void xgbe_phy_free_phy_device(str + + static bool xgbe_phy_finisar_phy_quirks(struct xgbe_prv_data *pdata) + { +- __ETHTOOL_DECLARE_LINK_MODE_MASK(supported) = { 0, }; + struct xgbe_phy_data *phy_data = pdata->phy_data; + unsigned int phy_id = phy_data->phydev->phy_id; + +@@ -878,14 +877,7 @@ static bool xgbe_phy_finisar_phy_quirks( + phy_write(phy_data->phydev, 0x04, 0x0d01); + phy_write(phy_data->phydev, 0x00, 0x9140); + +- linkmode_set_bit_array(phy_10_100_features_array, +- ARRAY_SIZE(phy_10_100_features_array), +- supported); +- linkmode_set_bit_array(phy_gbit_features_array, +- ARRAY_SIZE(phy_gbit_features_array), +- supported); +- +- linkmode_copy(phy_data->phydev->supported, supported); ++ linkmode_copy(phy_data->phydev->supported, PHY_GBIT_FEATURES); + + phy_support_asym_pause(phy_data->phydev); + +@@ -897,7 +889,6 @@ static bool xgbe_phy_finisar_phy_quirks( + + static bool xgbe_phy_belfuse_phy_quirks(struct xgbe_prv_data *pdata) + { +- __ETHTOOL_DECLARE_LINK_MODE_MASK(supported) = { 0, }; + struct xgbe_phy_data *phy_data = pdata->phy_data; + struct xgbe_sfp_eeprom *sfp_eeprom = &phy_data->sfp_eeprom; + unsigned int phy_id = phy_data->phydev->phy_id; +@@ -961,13 +952,7 @@ static bool xgbe_phy_belfuse_phy_quirks( + reg = phy_read(phy_data->phydev, 0x00); + phy_write(phy_data->phydev, 0x00, reg & ~0x00800); + +- linkmode_set_bit_array(phy_10_100_features_array, +- ARRAY_SIZE(phy_10_100_features_array), +- supported); +- linkmode_set_bit_array(phy_gbit_features_array, +- ARRAY_SIZE(phy_gbit_features_array), +- supported); +- linkmode_copy(phy_data->phydev->supported, supported); ++ linkmode_copy(phy_data->phydev->supported, PHY_GBIT_FEATURES); + phy_support_asym_pause(phy_data->phydev); + + netif_dbg(pdata, drv, pdata->netdev, diff --git a/queue-5.15/series b/queue-5.15/series index a3350a73a5..24da8e1409 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -102,3 +102,7 @@ poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch nvmet-propagate-npwg-topology.patch zram-fix-potential-uaf-of-zram-table.patch x86-asm-make-serialize-always_inline.patch +net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch +vsock-virtio-cancel-close-work-in-the-destructor.patch +vsock-reset-socket-state-when-de-assigning-the-transport.patch +vsock-prevent-null-ptr-deref-in-vsock_.patch diff --git a/queue-5.15/vsock-prevent-null-ptr-deref-in-vsock_.patch b/queue-5.15/vsock-prevent-null-ptr-deref-in-vsock_.patch new file mode 100644 index 0000000000..69ce862535 --- /dev/null +++ b/queue-5.15/vsock-prevent-null-ptr-deref-in-vsock_.patch @@ -0,0 +1,70 @@ +From 91751e248256efc111e52e15115840c35d85abaf Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Jan 2025 09:35:11 +0100 +Subject: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] + +From: Stefano Garzarella + +commit 91751e248256efc111e52e15115840c35d85abaf upstream. + +Recent reports have shown how we sometimes call vsock_*_has_data() +when a vsock socket has been de-assigned from a transport (see attached +links), but we shouldn't. + +Previous commits should have solved the real problems, but we may have +more in the future, so to avoid null-ptr-deref, we can return 0 +(no space, no data available) but with a warning. + +This way the code should continue to run in a nearly consistent state +and have a warning that allows us to debug future problems. + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/netdev/Z2K%2FI4nlHdfMRTZC@v4bel-B760M-AORUS-ELITE-AX/ +Link: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/ +Link: https://lore.kernel.org/netdev/677f84a8.050a0220.25a300.01b3.GAE@google.com/ +Co-developed-by: Hyunwoo Kim +Signed-off-by: Hyunwoo Kim +Co-developed-by: Wongi Lee +Signed-off-by: Wongi Lee +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Reviewed-by: Hyunwoo Kim +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -870,6 +870,9 @@ EXPORT_SYMBOL_GPL(vsock_create_connected + + s64 vsock_stream_has_data(struct vsock_sock *vsk) + { ++ if (WARN_ON(!vsk->transport)) ++ return 0; ++ + return vsk->transport->stream_has_data(vsk); + } + EXPORT_SYMBOL_GPL(vsock_stream_has_data); +@@ -878,6 +881,9 @@ static s64 vsock_connectible_has_data(st + { + struct sock *sk = sk_vsock(vsk); + ++ if (WARN_ON(!vsk->transport)) ++ return 0; ++ + if (sk->sk_type == SOCK_SEQPACKET) + return vsk->transport->seqpacket_has_data(vsk); + else +@@ -886,6 +892,9 @@ static s64 vsock_connectible_has_data(st + + s64 vsock_stream_has_space(struct vsock_sock *vsk) + { ++ if (WARN_ON(!vsk->transport)) ++ return 0; ++ + return vsk->transport->stream_has_space(vsk); + } + EXPORT_SYMBOL_GPL(vsock_stream_has_space); diff --git a/queue-5.15/vsock-reset-socket-state-when-de-assigning-the-transport.patch b/queue-5.15/vsock-reset-socket-state-when-de-assigning-the-transport.patch new file mode 100644 index 0000000000..8eeb3f2de0 --- /dev/null +++ b/queue-5.15/vsock-reset-socket-state-when-de-assigning-the-transport.patch @@ -0,0 +1,45 @@ +From a24009bc9be60242651a21702609381b5092459e Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Jan 2025 09:35:10 +0100 +Subject: vsock: reset socket state when de-assigning the transport + +From: Stefano Garzarella + +commit a24009bc9be60242651a21702609381b5092459e upstream. + +Transport's release() and destruct() are called when de-assigning the +vsock transport. These callbacks can touch some socket state like +sock flags, sk_state, and peer_shutdown. + +Since we are reassigning the socket to a new transport during +vsock_connect(), let's reset these fields to have a clean state with +the new transport. + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Cc: stable@vger.kernel.org +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -482,6 +482,15 @@ int vsock_assign_transport(struct vsock_ + */ + vsk->transport->release(vsk); + vsock_deassign_transport(vsk); ++ ++ /* transport's release() and destruct() can touch some socket ++ * state, since we are reassigning the socket to a new transport ++ * during vsock_connect(), let's reset these fields to have a ++ * clean state. ++ */ ++ sock_reset_flag(sk, SOCK_DONE); ++ sk->sk_state = TCP_CLOSE; ++ vsk->peer_shutdown = 0; + } + + /* We increase the module refcnt to prevent the transport unloading diff --git a/queue-5.15/vsock-virtio-cancel-close-work-in-the-destructor.patch b/queue-5.15/vsock-virtio-cancel-close-work-in-the-destructor.patch new file mode 100644 index 0000000000..65a9b0a82c --- /dev/null +++ b/queue-5.15/vsock-virtio-cancel-close-work-in-the-destructor.patch @@ -0,0 +1,101 @@ +From df137da9d6d166e87e40980e36eb8e0bc90483ef Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Jan 2025 09:35:09 +0100 +Subject: vsock/virtio: cancel close work in the destructor + +From: Stefano Garzarella + +commit df137da9d6d166e87e40980e36eb8e0bc90483ef upstream. + +During virtio_transport_release() we can schedule a delayed work to +perform the closing of the socket before destruction. + +The destructor is called either when the socket is really destroyed +(reference counter to zero), or it can also be called when we are +de-assigning the transport. + +In the former case, we are sure the delayed work has completed, because +it holds a reference until it completes, so the destructor will +definitely be called after the delayed work is finished. +But in the latter case, the destructor is called by AF_VSOCK core, just +after the release(), so there may still be delayed work scheduled. + +Refactor the code, moving the code to delete the close work already in +the do_close() to a new function. Invoke it during destruction to make +sure we don't leave any pending work. + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Cc: stable@vger.kernel.org +Reported-by: Hyunwoo Kim +Closes: https://lore.kernel.org/netdev/Z37Sh+utS+iV3+eb@v4bel-B760M-AORUS-ELITE-AX/ +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Tested-by: Hyunwoo Kim +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -26,6 +26,9 @@ + /* Threshold for detecting small packets to copy */ + #define GOOD_COPY_LEN 128 + ++static void virtio_transport_cancel_close_work(struct vsock_sock *vsk, ++ bool cancel_timeout); ++ + static const struct virtio_transport * + virtio_transport_get_ops(struct vsock_sock *vsk) + { +@@ -811,6 +814,8 @@ void virtio_transport_destruct(struct vs + { + struct virtio_vsock_sock *vvs = vsk->trans; + ++ virtio_transport_cancel_close_work(vsk, true); ++ + kfree(vvs); + vsk->trans = NULL; + } +@@ -899,17 +904,11 @@ static void virtio_transport_wait_close( + } + } + +-static void virtio_transport_do_close(struct vsock_sock *vsk, +- bool cancel_timeout) ++static void virtio_transport_cancel_close_work(struct vsock_sock *vsk, ++ bool cancel_timeout) + { + struct sock *sk = sk_vsock(vsk); + +- sock_set_flag(sk, SOCK_DONE); +- vsk->peer_shutdown = SHUTDOWN_MASK; +- if (vsock_stream_has_data(vsk) <= 0) +- sk->sk_state = TCP_CLOSING; +- sk->sk_state_change(sk); +- + if (vsk->close_work_scheduled && + (!cancel_timeout || cancel_delayed_work(&vsk->close_work))) { + vsk->close_work_scheduled = false; +@@ -921,6 +920,20 @@ static void virtio_transport_do_close(st + } + } + ++static void virtio_transport_do_close(struct vsock_sock *vsk, ++ bool cancel_timeout) ++{ ++ struct sock *sk = sk_vsock(vsk); ++ ++ sock_set_flag(sk, SOCK_DONE); ++ vsk->peer_shutdown = SHUTDOWN_MASK; ++ if (vsock_stream_has_data(vsk) <= 0) ++ sk->sk_state = TCP_CLOSING; ++ sk->sk_state_change(sk); ++ ++ virtio_transport_cancel_close_work(vsk, cancel_timeout); ++} ++ + static void virtio_transport_close_timeout(struct work_struct *work) + { + struct vsock_sock *vsk =