From: Sasha Levin Date: Fri, 10 Jan 2025 14:26:06 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v6.1.125~68 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d08116e4ed75f47dcb4f672deebc6f20c9c7c69d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch b/queue-5.15/bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch new file mode 100644 index 00000000000..111eeb846df --- /dev/null +++ b/queue-5.15/bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch @@ -0,0 +1,47 @@ +From 90a062bd9f8712aeb7abdabd554099c2b735397d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 20:38:47 -0800 +Subject: bnxt_en: Fix possible memory leak when hwrm_req_replace fails + +From: Kalesh AP + +[ Upstream commit c8dafb0e4398dacc362832098a04b97da3b0395b ] + +When hwrm_req_replace() fails, the driver is not invoking bnxt_req_drop() +which could cause a memory leak. + +Fixes: bbf33d1d9805 ("bnxt_en: update all firmware calls to use the new APIs") +Reviewed-by: Pavan Chebbi +Signed-off-by: Kalesh AP +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20250104043849.3482067-2-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +index fde0c3e8ac57..871f695e7076 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -252,7 +252,7 @@ static int bnxt_send_msg(struct bnxt_en_dev *edev, int ulp_id, + + rc = hwrm_req_replace(bp, req, fw_msg->msg, fw_msg->msg_len); + if (rc) +- return rc; ++ goto drop_req; + + hwrm_req_timeout(bp, req, fw_msg->timeout); + resp = hwrm_req_hold(bp, req); +@@ -264,6 +264,7 @@ static int bnxt_send_msg(struct bnxt_en_dev *edev, int ulp_id, + + memcpy(fw_msg->resp, resp, resp_len); + } ++drop_req: + hwrm_req_drop(bp, req); + return rc; + } +-- +2.39.5 + diff --git a/queue-5.15/cxgb4-avoid-removal-of-uninserted-tid.patch b/queue-5.15/cxgb4-avoid-removal-of-uninserted-tid.patch new file mode 100644 index 00000000000..afd1281897d --- /dev/null +++ b/queue-5.15/cxgb4-avoid-removal-of-uninserted-tid.patch @@ -0,0 +1,42 @@ +From b74da888cfba949445406fe42b3c27f63ed3087e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 14:53:27 +0530 +Subject: cxgb4: Avoid removal of uninserted tid + +From: Anumula Murali Mohan Reddy + +[ Upstream commit 4c1224501e9d6c5fd12d83752f1c1b444e0e3418 ] + +During ARP failure, tid is not inserted but _c4iw_free_ep() +attempts to remove tid which results in error. +This patch fixes the issue by avoiding removal of uninserted tid. + +Fixes: 59437d78f088 ("cxgb4/chtls: fix ULD connection failures due to wrong TID base") +Signed-off-by: Anumula Murali Mohan Reddy +Signed-off-by: Potnuri Bharat Teja +Link: https://patch.msgid.link/20250103092327.1011925-1-anumula@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index 21afaa81697e..47529c77654c 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -1800,7 +1800,10 @@ void cxgb4_remove_tid(struct tid_info *t, unsigned int chan, unsigned int tid, + struct adapter *adap = container_of(t, struct adapter, tids); + struct sk_buff *skb; + +- WARN_ON(tid_out_of_range(&adap->tids, tid)); ++ if (tid_out_of_range(&adap->tids, tid)) { ++ dev_err(adap->pdev_dev, "tid %d out of range\n", tid); ++ return; ++ } + + if (t->tid_tab[tid - adap->tids.tid_base]) { + t->tid_tab[tid - adap->tids.tid_base] = NULL; +-- +2.39.5 + diff --git a/queue-5.15/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch b/queue-5.15/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch new file mode 100644 index 00000000000..597787e9996 --- /dev/null +++ b/queue-5.15/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch @@ -0,0 +1,45 @@ +From e15ca3df3da3ff95047c2832bc64f785e25bcee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2024 19:27:12 +0100 +Subject: ieee802154: ca8210: Add missing check for kfifo_alloc() in + ca8210_probe() + +From: Keisuke Nishimura + +[ Upstream commit 2c87309ea741341c6722efdf1fb3f50dd427c823 ] + +ca8210_test_interface_init() returns the result of kfifo_alloc(), +which can be non-zero in case of an error. The caller, ca8210_probe(), +should check the return value and do error-handling if it fails. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Keisuke Nishimura +Reviewed-by: Simon Horman +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/20241029182712.318271-1-keisuke.nishimura@inria.fr +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index dc786c3bbccf..d6dafd9876d2 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -3125,7 +3125,11 @@ static int ca8210_probe(struct spi_device *spi_device) + spi_set_drvdata(priv->spi, priv); + if (IS_ENABLED(CONFIG_IEEE802154_CA8210_DEBUGFS)) { + cascoda_api_upstream = ca8210_test_int_driver_write; +- ca8210_test_interface_init(priv); ++ ret = ca8210_test_interface_init(priv); ++ if (ret) { ++ dev_crit(&spi_device->dev, "ca8210_test_interface_init failed\n"); ++ goto error; ++ } + } else { + cascoda_api_upstream = NULL; + } +-- +2.39.5 + diff --git a/queue-5.15/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch b/queue-5.15/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch new file mode 100644 index 00000000000..1259d937aed --- /dev/null +++ b/queue-5.15/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch @@ -0,0 +1,56 @@ +From 1ea0af7b18260a657157b0a0b53de95870e27860 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 20:23:00 -0500 +Subject: net: 802: LLC+SNAP OID:PID lookup on start of skb data + +From: Antonio Pastor + +[ Upstream commit 1e9b0e1c550c42c13c111d1a31e822057232abc4 ] + +802.2+LLC+SNAP frames received by napi_complete_done() with GRO and DSA +have skb->transport_header set two bytes short, or pointing 2 bytes +before network_header & skb->data. This was an issue as snap_rcv() +expected offset to point to SNAP header (OID:PID), causing packet to +be dropped. + +A fix at llc_fixup_skb() (a024e377efed) resets transport_header for any +LLC consumers that may care about it, and stops SNAP packets from being +dropped, but doesn't fix the problem which is that LLC and SNAP should +not use transport_header offset. + +Ths patch eliminates the use of transport_header offset for SNAP lookup +of OID:PID so that SNAP does not rely on the offset at all. +The offset is reset after pull for any SNAP packet consumers that may +(but shouldn't) use it. + +Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()") +Signed-off-by: Antonio Pastor +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250103012303.746521-1-antonio.pastor@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/802/psnap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/802/psnap.c b/net/802/psnap.c +index 4492e8d7ad20..ed6e17c8cce9 100644 +--- a/net/802/psnap.c ++++ b/net/802/psnap.c +@@ -55,11 +55,11 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, + goto drop; + + rcu_read_lock(); +- proto = find_snap_client(skb_transport_header(skb)); ++ proto = find_snap_client(skb->data); + if (proto) { + /* Pass the frame on. */ +- skb->transport_header += 5; + skb_pull_rcsum(skb, 5); ++ skb_reset_transport_header(skb); + rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); + } + rcu_read_unlock(); +-- +2.39.5 + diff --git a/queue-5.15/net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch b/queue-5.15/net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch new file mode 100644 index 00000000000..9b71caad9dd --- /dev/null +++ b/queue-5.15/net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch @@ -0,0 +1,96 @@ +From e92e4e8cbb90539ec6003ae43bc7c32f02e7c7a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:38 +0800 +Subject: net: hns3: fix kernel crash when 1588 is sent on HIP08 devices + +From: Jie Wang + +[ Upstream commit 2cf246143519ecc11dab754385ec42d78b6b6a05 ] + +Currently, HIP08 devices does not register the ptp devices, so the +hdev->ptp is NULL. But the tx process would still try to set hardware time +stamp info with SKBTX_HW_TSTAMP flag and cause a kernel crash. + +[ 128.087798] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 +... +[ 128.280251] pc : hclge_ptp_set_tx_info+0x2c/0x140 [hclge] +[ 128.286600] lr : hclge_ptp_set_tx_info+0x20/0x140 [hclge] +[ 128.292938] sp : ffff800059b93140 +[ 128.297200] x29: ffff800059b93140 x28: 0000000000003280 +[ 128.303455] x27: ffff800020d48280 x26: ffff0cb9dc814080 +[ 128.309715] x25: ffff0cb9cde93fa0 x24: 0000000000000001 +[ 128.315969] x23: 0000000000000000 x22: 0000000000000194 +[ 128.322219] x21: ffff0cd94f986000 x20: 0000000000000000 +[ 128.328462] x19: ffff0cb9d2a166c0 x18: 0000000000000000 +[ 128.334698] x17: 0000000000000000 x16: ffffcf1fc523ed24 +[ 128.340934] x15: 0000ffffd530a518 x14: 0000000000000000 +[ 128.347162] x13: ffff0cd6bdb31310 x12: 0000000000000368 +[ 128.353388] x11: ffff0cb9cfbc7070 x10: ffff2cf55dd11e02 +[ 128.359606] x9 : ffffcf1f85a212b4 x8 : ffff0cd7cf27dab0 +[ 128.365831] x7 : 0000000000000a20 x6 : ffff0cd7cf27d000 +[ 128.372040] x5 : 0000000000000000 x4 : 000000000000ffff +[ 128.378243] x3 : 0000000000000400 x2 : ffffcf1f85a21294 +[ 128.384437] x1 : ffff0cb9db520080 x0 : ffff0cb9db500080 +[ 128.390626] Call trace: +[ 128.393964] hclge_ptp_set_tx_info+0x2c/0x140 [hclge] +[ 128.399893] hns3_nic_net_xmit+0x39c/0x4c4 [hns3] +[ 128.405468] xmit_one.constprop.0+0xc4/0x200 +[ 128.410600] dev_hard_start_xmit+0x54/0xf0 +[ 128.415556] sch_direct_xmit+0xe8/0x634 +[ 128.420246] __dev_queue_xmit+0x224/0xc70 +[ 128.425101] dev_queue_xmit+0x1c/0x40 +[ 128.429608] ovs_vport_send+0xac/0x1a0 [openvswitch] +[ 128.435409] do_output+0x60/0x17c [openvswitch] +[ 128.440770] do_execute_actions+0x898/0x8c4 [openvswitch] +[ 128.446993] ovs_execute_actions+0x64/0xf0 [openvswitch] +[ 128.453129] ovs_dp_process_packet+0xa0/0x224 [openvswitch] +[ 128.459530] ovs_vport_receive+0x7c/0xfc [openvswitch] +[ 128.465497] internal_dev_xmit+0x34/0xb0 [openvswitch] +[ 128.471460] xmit_one.constprop.0+0xc4/0x200 +[ 128.476561] dev_hard_start_xmit+0x54/0xf0 +[ 128.481489] __dev_queue_xmit+0x968/0xc70 +[ 128.486330] dev_queue_xmit+0x1c/0x40 +[ 128.490856] ip_finish_output2+0x250/0x570 +[ 128.495810] __ip_finish_output+0x170/0x1e0 +[ 128.500832] ip_finish_output+0x3c/0xf0 +[ 128.505504] ip_output+0xbc/0x160 +[ 128.509654] ip_send_skb+0x58/0xd4 +[ 128.513892] udp_send_skb+0x12c/0x354 +[ 128.518387] udp_sendmsg+0x7a8/0x9c0 +[ 128.522793] inet_sendmsg+0x4c/0x8c +[ 128.527116] __sock_sendmsg+0x48/0x80 +[ 128.531609] __sys_sendto+0x124/0x164 +[ 128.536099] __arm64_sys_sendto+0x30/0x5c +[ 128.540935] invoke_syscall+0x50/0x130 +[ 128.545508] el0_svc_common.constprop.0+0x10c/0x124 +[ 128.551205] do_el0_svc+0x34/0xdc +[ 128.555347] el0_svc+0x20/0x30 +[ 128.559227] el0_sync_handler+0xb8/0xc0 +[ 128.563883] el0_sync+0x160/0x180 + +Fixes: 0bf5eb788512 ("net: hns3: add support for PTP") +Signed-off-by: Jie Wang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c +index 0f06f95b09bc..8802cdd6403e 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c +@@ -70,6 +70,9 @@ bool hclge_ptp_set_tx_info(struct hnae3_handle *handle, struct sk_buff *skb) + struct hclge_dev *hdev = vport->back; + struct hclge_ptp *ptp = hdev->ptp; + ++ if (!ptp) ++ return false; ++ + if (!test_bit(HCLGE_PTP_FLAG_TX_EN, &ptp->flags) || + test_and_set_bit(HCLGE_STATE_PTP_TX_HANDLING, &hdev->state)) { + ptp->tx_skipped++; +-- +2.39.5 + diff --git a/queue-5.15/net-hns3-fix-missing-features-due-to-dev-features-co.patch b/queue-5.15/net-hns3-fix-missing-features-due-to-dev-features-co.patch new file mode 100644 index 00000000000..930ac5f41c5 --- /dev/null +++ b/queue-5.15/net-hns3-fix-missing-features-due-to-dev-features-co.patch @@ -0,0 +1,39 @@ +From 939da5e968f8673a395be9cd77359f084170be5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:33 +0800 +Subject: net: hns3: fix missing features due to dev->features configuration + too early + +From: Hao Lan + +[ Upstream commit 662ecfc46690e92cf630f51b5d4bbbcffe102980 ] + +Currently, the netdev->features is configured in hns3_nic_set_features. +As a result, __netdev_update_features considers that there is no feature +difference, and the procedures of the real features are missing. + +Fixes: 2a7556bb2b73 ("net: hns3: implement ndo_features_check ops for hns3 driver") +Signed-off-by: Hao Lan +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index d6bdcd9f285b..f277ba8a1509 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -2314,7 +2314,6 @@ static int hns3_nic_set_features(struct net_device *netdev, + return ret; + } + +- netdev->features = features; + return 0; + } + +-- +2.39.5 + diff --git a/queue-5.15/net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch b/queue-5.15/net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch new file mode 100644 index 00000000000..398bc139cec --- /dev/null +++ b/queue-5.15/net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch @@ -0,0 +1,45 @@ +From 9253db84c25c4b8efd8d0e94e0c4e44219aa60f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:36 +0800 +Subject: net: hns3: initialize reset_timer before hclgevf_misc_irq_init() + +From: Jian Shen + +[ Upstream commit d1c2e2961ab460ac2433ff8ad46000582abc573c ] + +Currently the misc irq is initialized before reset_timer setup. But +it will access the reset_timer in the irq handler. So initialize +the reset_timer earlier. + +Fixes: ff200099d271 ("net: hns3: remove unnecessary work in hclgevf_main") +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index 5b861a2a3e73..b011df3a684f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -2793,6 +2793,7 @@ static void hclgevf_state_init(struct hclgevf_dev *hdev) + clear_bit(HCLGEVF_STATE_RST_FAIL, &hdev->state); + + INIT_DELAYED_WORK(&hdev->service_task, hclgevf_service_task); ++ timer_setup(&hdev->reset_timer, hclgevf_reset_timer, 0); + + mutex_init(&hdev->mbx_resp.mbx_mutex); + sema_init(&hdev->reset_sem, 1); +@@ -3488,7 +3489,6 @@ static int hclgevf_init_hdev(struct hclgevf_dev *hdev) + HCLGEVF_DRIVER_NAME); + + hclgevf_task_schedule(hdev, round_jiffies_relative(HZ)); +- timer_setup(&hdev->reset_timer, hclgevf_reset_timer, 0); + + return 0; + +-- +2.39.5 + diff --git a/queue-5.15/net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch b/queue-5.15/net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch new file mode 100644 index 00000000000..13a73f14614 --- /dev/null +++ b/queue-5.15/net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch @@ -0,0 +1,47 @@ +From c8ce5e5f85c8983d3f062e863a27e9b9146469e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:34 +0800 +Subject: net: hns3: Resolved the issue that the debugfs query result is + inconsistent. + +From: Hao Lan + +[ Upstream commit 2758f18a83ef283d50c0566d3f672621cc658a1a ] + +This patch modifies the implementation of debugfs: +When the user process stops unexpectedly, not all data of the file system +is read. In this case, the save_buf pointer is not released. When the user +process is called next time, save_buf is used to copy the cached data +to the user space. As a result, the queried data is inconsistent. To solve +this problem, determine whether the function is invoked for the first time +based on the value of *ppos. If *ppos is 0, obtain the actual data. + +Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process") +Signed-off-by: Hao Lan +Signed-off-by: Guangwei Zhang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index bd801e35d51e..b4580c02ff53 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -1043,8 +1043,10 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, + + /* save the buffer addr until the last read operation */ + *save_buf = read_buf; ++ } + +- /* get data ready for the first time to read */ ++ /* get data ready for the first time to read */ ++ if (!*ppos) { + ret = hns3_dbg_read_cmd(dbg_data, hns3_dbg_cmd[index].cmd, + read_buf, hns3_dbg_cmd[index].buf_len); + if (ret) +-- +2.39.5 + diff --git a/queue-5.15/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch b/queue-5.15/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch new file mode 100644 index 00000000000..98a0176fef2 --- /dev/null +++ b/queue-5.15/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch @@ -0,0 +1,74 @@ +From 89f6ef0b9433c91ae327d7ce51d1d05f7052291d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 10:45:46 +0000 +Subject: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute + +From: Eric Dumazet + +[ Upstream commit a039e54397c6a75b713b9ce7894a62e06956aa92 ] + +syzbot found that TCA_FLOW_RSHIFT attribute was not validated. +Right shitfing a 32bit integer is undefined for large shift values. + +UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 +shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') +CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Workqueue: ipv6_addrconf addrconf_dad_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + ubsan_epilogue lib/ubsan.c:231 [inline] + __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 + flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 + tc_classify include/net/tc_wrapper.h:197 [inline] + __tcf_classify net/sched/cls_api.c:1771 [inline] + tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 + sfb_classify net/sched/sch_sfb.c:260 [inline] + sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 + dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 + __dev_xmit_skb net/core/dev.c:3889 [inline] + __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 + dev_queue_xmit include/linux/netdevice.h:3168 [inline] + neigh_hh_output include/net/neighbour.h:523 [inline] + neigh_output include/net/neighbour.h:537 [inline] + ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 + iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 + udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 + geneve_xmit_skb drivers/net/geneve.c:916 [inline] + geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 + __netdev_start_xmit include/linux/netdevice.h:5002 [inline] + netdev_start_xmit include/linux/netdevice.h:5011 [inline] + xmit_one net/core/dev.c:3590 [inline] + dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 + __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434 + +Fixes: e5dfb815181f ("[NET_SCHED]: Add flow classifier") +Reported-by: syzbot+1dbb57d994e54aaa04d2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6777bf49.050a0220.178762.0040.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250103104546.3714168-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_flow.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c +index 972303aa8edd..22ed49748302 100644 +--- a/net/sched/cls_flow.c ++++ b/net/sched/cls_flow.c +@@ -354,7 +354,8 @@ static const struct nla_policy flow_policy[TCA_FLOW_MAX + 1] = { + [TCA_FLOW_KEYS] = { .type = NLA_U32 }, + [TCA_FLOW_MODE] = { .type = NLA_U32 }, + [TCA_FLOW_BASECLASS] = { .type = NLA_U32 }, +- [TCA_FLOW_RSHIFT] = { .type = NLA_U32 }, ++ [TCA_FLOW_RSHIFT] = NLA_POLICY_MAX(NLA_U32, ++ 31 /* BITS_PER_U32 - 1 */), + [TCA_FLOW_ADDEND] = { .type = NLA_U32 }, + [TCA_FLOW_MASK] = { .type = NLA_U32 }, + [TCA_FLOW_XOR] = { .type = NLA_U32 }, +-- +2.39.5 + diff --git a/queue-5.15/netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch b/queue-5.15/netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch new file mode 100644 index 00000000000..d072ea1d4d7 --- /dev/null +++ b/queue-5.15/netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch @@ -0,0 +1,48 @@ +From b57dd9e98bfccbaca24f8ed6f70f688c732fb7b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 22:56:33 +0100 +Subject: netfilter: conntrack: clamp maximum hashtable size to INT_MAX + +From: Pablo Neira Ayuso + +[ Upstream commit b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13 ] + +Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it +is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when +resizing hashtable because __GFP_NOWARN is unset. See: + + 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls") + +Note: hashtable resize is only possible from init_netns. + +Fixes: 9cc1c73ad666 ("netfilter: conntrack: avoid integer overflow when resizing") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index be6031886f94..00a97743507d 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -2589,12 +2589,15 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls) + struct hlist_nulls_head *hash; + unsigned int nr_slots, i; + +- if (*sizep > (UINT_MAX / sizeof(struct hlist_nulls_head))) ++ if (*sizep > (INT_MAX / sizeof(struct hlist_nulls_head))) + return NULL; + + BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head)); + nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head)); + ++ if (nr_slots > (INT_MAX / sizeof(struct hlist_nulls_head))) ++ return NULL; ++ + hash = kvcalloc(nr_slots, sizeof(struct hlist_nulls_head), GFP_KERNEL); + + if (hash && nulls) +-- +2.39.5 + diff --git a/queue-5.15/netfilter-nf_tables-imbalance-in-flowtable-binding.patch b/queue-5.15/netfilter-nf_tables-imbalance-in-flowtable-binding.patch new file mode 100644 index 00000000000..4eeb3b56b0e --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-imbalance-in-flowtable-binding.patch @@ -0,0 +1,117 @@ +From 88bdd62b68dfdb0778a28ed42a78c9ba6642fd18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 13:01:13 +0100 +Subject: netfilter: nf_tables: imbalance in flowtable binding + +From: Pablo Neira Ayuso + +[ Upstream commit 13210fc63f353fe78584048079343413a3cdf819 ] + +All these cases cause imbalance between BIND and UNBIND calls: + +- Delete an interface from a flowtable with multiple interfaces + +- Add a (device to a) flowtable with --check flag + +- Delete a netns containing a flowtable + +- In an interactive nft session, create a table with owner flag and + flowtable inside, then quit. + +Fix it by calling FLOW_BLOCK_UNBIND when unregistering hooks, then +remove late FLOW_BLOCK_UNBIND call when destroying flowtable. + +Fixes: ff4bf2f42a40 ("netfilter: nf_tables: add nft_unregister_flowtable_hook()") +Reported-by: Phil Sutter +Tested-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 7fdeed8a3186..e86cc6f4ce9d 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7794,6 +7794,7 @@ static void nft_unregister_flowtable_hook(struct net *net, + } + + static void __nft_unregister_flowtable_net_hooks(struct net *net, ++ struct nft_flowtable *flowtable, + struct list_head *hook_list, + bool release_netdev) + { +@@ -7801,6 +7802,8 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net, + + list_for_each_entry_safe(hook, next, hook_list, list) { + nf_unregister_net_hook(net, &hook->ops); ++ flowtable->data.type->setup(&flowtable->data, hook->ops.dev, ++ FLOW_BLOCK_UNBIND); + if (release_netdev) { + list_del(&hook->list); + kfree_rcu(hook, rcu); +@@ -7809,9 +7812,10 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net, + } + + static void nft_unregister_flowtable_net_hooks(struct net *net, ++ struct nft_flowtable *flowtable, + struct list_head *hook_list) + { +- __nft_unregister_flowtable_net_hooks(net, hook_list, false); ++ __nft_unregister_flowtable_net_hooks(net, flowtable, hook_list, false); + } + + static int nft_register_flowtable_net_hooks(struct net *net, +@@ -8433,8 +8437,6 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) + + flowtable->data.type->free(&flowtable->data); + list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { +- flowtable->data.type->setup(&flowtable->data, hook->ops.dev, +- FLOW_BLOCK_UNBIND); + list_del_rcu(&hook->list); + kfree_rcu(hook, rcu); + } +@@ -9668,6 +9670,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + &nft_trans_flowtable_hooks(trans), + NFT_MSG_DELFLOWTABLE); + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable_hooks(trans)); + } else { + list_del_rcu(&nft_trans_flowtable(trans)->list); +@@ -9676,6 +9679,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + &nft_trans_flowtable(trans)->hook_list, + NFT_MSG_DELFLOWTABLE); + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable(trans)->hook_list); + } + break; +@@ -9906,11 +9910,13 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + case NFT_MSG_NEWFLOWTABLE: + if (nft_trans_flowtable_update(trans)) { + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable_hooks(trans)); + } else { + nft_use_dec_restore(&trans->ctx.table->use); + list_del_rcu(&nft_trans_flowtable(trans)->list); + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable(trans)->hook_list); + } + break; +@@ -10451,7 +10457,8 @@ static void __nft_release_hook(struct net *net, struct nft_table *table) + list_for_each_entry(chain, &table->chains, list) + __nf_tables_unregister_hook(net, table, chain, true); + list_for_each_entry(flowtable, &table->flowtables, list) +- __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list, ++ __nft_unregister_flowtable_net_hooks(net, flowtable, ++ &flowtable->hook_list, + true); + } + +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index 6e48c3aa1a2..31d7b16df55 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -6,3 +6,17 @@ dm-array-fix-cursor-index-when-skipping-across-block.patch exfat-fix-the-infinite-loop-in-exfat_readdir.patch exfat-fix-the-infinite-loop-in-__exfat_free_cluster.patch asoc-mediatek-disable-buffer-pre-allocation.patch +ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch +net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch +tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch +tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch +net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch +bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch +cxgb4-avoid-removal-of-uninserted-tid.patch +tls-fix-tls_sw_sendmsg-error-handling.patch +net-hns3-fix-missing-features-due-to-dev-features-co.patch +net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch +net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch +net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch +netfilter-nf_tables-imbalance-in-flowtable-binding.patch +netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch diff --git a/queue-5.15/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch b/queue-5.15/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch new file mode 100644 index 00000000000..801248be78c --- /dev/null +++ b/queue-5.15/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch @@ -0,0 +1,47 @@ +From 4fe7be8ca7cff026e67ef636dbe2a34194dfb44f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 17:14:26 +0000 +Subject: tcp/dccp: allow a connection when sk_max_ack_backlog is zero + +From: Zhongqiu Duan + +[ Upstream commit 3479c7549fb1dfa7a1db4efb7347c7b8ef50de4b ] + +If the backlog of listen() is set to zero, sk_acceptq_is_full() allows +one connection to be made, but inet_csk_reqsk_queue_is_full() does not. +When the net.ipv4.tcp_syncookies is zero, inet_csk_reqsk_queue_is_full() +will cause an immediate drop before the sk_acceptq_is_full() check in +tcp_conn_request(), resulting in no connection can be made. + +This patch tries to keep consistent with 64a146513f8f ("[NET]: Revert +incorrect accept queue backlog changes."). + +Link: https://lore.kernel.org/netdev/20250102080258.53858-1-kuniyu@amazon.com/ +Fixes: ef547f2ac16b ("tcp: remove max_qlen_log") +Signed-off-by: Zhongqiu Duan +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250102171426.915276-1-dzq.aishenghu0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/inet_connection_sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 0bf19c1926ee..7a015055fe6d 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -278,7 +278,7 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk) + + static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) + { +- return inet_csk_reqsk_queue_len(sk) >= READ_ONCE(sk->sk_max_ack_backlog); ++ return inet_csk_reqsk_queue_len(sk) > READ_ONCE(sk->sk_max_ack_backlog); + } + + bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req); +-- +2.39.5 + diff --git a/queue-5.15/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch b/queue-5.15/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch new file mode 100644 index 00000000000..401d38ce0ea --- /dev/null +++ b/queue-5.15/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch @@ -0,0 +1,40 @@ +From 526eb3030c02433db435d37af38ee92d1d2bb989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Mar 2024 17:05:21 +0800 +Subject: tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog + +From: Jason Xing + +[ Upstream commit 9a79c65f00e2b036e17af3a3a607d7d732b7affb ] + +Since commit 099ecf59f05b ("net: annotate lockless accesses to +sk->sk_max_ack_backlog") decided to handle the sk_max_ack_backlog +locklessly, there is one more function mostly called in TCP/DCCP +cases. So this patch completes it:) + +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240331090521.71965-1-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 3479c7549fb1 ("tcp/dccp: allow a connection when sk_max_ack_backlog is zero") +Signed-off-by: Sasha Levin +--- + include/net/inet_connection_sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 53ec06703fe4..0bf19c1926ee 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -278,7 +278,7 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk) + + static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) + { +- return inet_csk_reqsk_queue_len(sk) >= sk->sk_max_ack_backlog; ++ return inet_csk_reqsk_queue_len(sk) >= READ_ONCE(sk->sk_max_ack_backlog); + } + + bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req); +-- +2.39.5 + diff --git a/queue-5.15/tls-fix-tls_sw_sendmsg-error-handling.patch b/queue-5.15/tls-fix-tls_sw_sendmsg-error-handling.patch new file mode 100644 index 00000000000..4eb88e091b2 --- /dev/null +++ b/queue-5.15/tls-fix-tls_sw_sendmsg-error-handling.patch @@ -0,0 +1,46 @@ +From 379c04d620762b6376be5550598daf0c1aa5b1b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jan 2025 10:29:45 -0500 +Subject: tls: Fix tls_sw_sendmsg error handling + +From: Benjamin Coddington + +[ Upstream commit b341ca51d2679829d26a3f6a4aa9aee9abd94f92 ] + +We've noticed that NFS can hang when using RPC over TLS on an unstable +connection, and investigation shows that the RPC layer is stuck in a tight +loop attempting to transmit, but forever getting -EBADMSG back from the +underlying network. The loop begins when tcp_sendmsg_locked() returns +-EPIPE to tls_tx_records(), but that error is converted to -EBADMSG when +calling the socket's error reporting handler. + +Instead of converting errors from tcp_sendmsg_locked(), let's pass them +along in this path. The RPC layer handles -EPIPE by reconnecting the +transport, which prevents the endless attempts to transmit on a broken +connection. + +Signed-off-by: Benjamin Coddington +Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") +Link: https://patch.msgid.link/9594185559881679d81f071b181a10eb07cd079f.1736004079.git.bcodding@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index c17c3a14b9c1..0f93b0ba72df 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -453,7 +453,7 @@ int tls_tx_records(struct sock *sk, int flags) + + tx_err: + if (rc < 0 && rc != -EAGAIN) +- tls_err_abort(sk, -EBADMSG); ++ tls_err_abort(sk, rc); + + return rc; + } +-- +2.39.5 +