From: Greg Kroah-Hartman Date: Sat, 18 Feb 2023 11:28:55 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v4.14.306~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d7fe23cd46534572c6451c446712d8df8b6ec163;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bnxt_en-fix-mqprio-and-xdp-ring-checking-logic.patch dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch igb-conditionalize-i2c-bit-banging-on-external-thermal-sensor-support.patch igb-fix-pps-input-and-output-using-3rd-and-4th-sdp.patch ipv6-fix-datagram-socket-connection-with-dscp.patch ipv6-fix-tcp-socket-connection-with-dscp.patch ixgbe-add-double-of-vlan-header-when-computing-the-max-mtu.patch mm-gup-add-folio-to-list-when-folio_isolate_lru-succeed.patch net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch net-openvswitch-fix-possible-memory-leak-in-ovs_meter_cmd_set.patch net-sched-act_ctinfo-use-percpu-stats.patch net-stmmac-fix-order-of-dwmac5-flexpps-parametrization-sequence.patch net-stmmac-restrict-warning-on-disabling-dma-store-and-fwd-mode.patch net-usb-kalmia-don-t-pass-act_len-in-usb_bulk_msg-error-path.patch net-use-a-bounce-buffer-for-copying-skb-mark.patch tipc-fix-kernel-warning-when-sending-syn-message.patch tracing-make-trace_define_field_ext-static.patch --- diff --git a/queue-6.1/bnxt_en-fix-mqprio-and-xdp-ring-checking-logic.patch b/queue-6.1/bnxt_en-fix-mqprio-and-xdp-ring-checking-logic.patch new file mode 100644 index 00000000000..88083f55cbe --- /dev/null +++ b/queue-6.1/bnxt_en-fix-mqprio-and-xdp-ring-checking-logic.patch @@ -0,0 +1,47 @@ +From 2038cc592811209de20c4e094ca08bfb1e6fbc6c Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Fri, 10 Feb 2023 12:31:55 -0500 +Subject: bnxt_en: Fix mqprio and XDP ring checking logic + +From: Michael Chan + +commit 2038cc592811209de20c4e094ca08bfb1e6fbc6c upstream. + +In bnxt_reserve_rings(), there is logic to check that the number of TX +rings reserved is enough to cover all the mqprio TCs, but it fails to +account for the TX XDP rings. So the check will always fail if there +are mqprio TCs and TX XDP rings. As a result, the driver always fails +to initialize after the XDP program is attached and the device will be +brought down. A subsequent ifconfig up will also fail because the +number of TX rings is set to an inconsistent number. Fix the check to +properly account for TX XDP rings. If the check fails, set the number +of TX rings back to a consistent number after calling netdev_reset_tc(). + +Fixes: 674f50a5b026 ("bnxt_en: Implement new method to reserve rings.") +Reviewed-by: Hongguang Gao +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9239,10 +9239,14 @@ int bnxt_reserve_rings(struct bnxt *bp, + netdev_err(bp->dev, "ring reservation/IRQ init failure rc: %d\n", rc); + return rc; + } +- if (tcs && (bp->tx_nr_rings_per_tc * tcs != bp->tx_nr_rings)) { ++ if (tcs && (bp->tx_nr_rings_per_tc * tcs != ++ bp->tx_nr_rings - bp->tx_nr_rings_xdp)) { + netdev_err(bp->dev, "tx ring reservation failure\n"); + netdev_reset_tc(bp->dev); +- bp->tx_nr_rings_per_tc = bp->tx_nr_rings; ++ if (bp->tx_nr_rings_xdp) ++ bp->tx_nr_rings_per_tc = bp->tx_nr_rings_xdp; ++ else ++ bp->tx_nr_rings_per_tc = bp->tx_nr_rings; + return -ENOMEM; + } + return 0; diff --git a/queue-6.1/dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch b/queue-6.1/dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch new file mode 100644 index 00000000000..70d2c9d1b57 --- /dev/null +++ b/queue-6.1/dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch @@ -0,0 +1,125 @@ +From ca43ccf41224b023fc290073d5603a755fd12eed Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Thu, 9 Feb 2023 16:22:01 -0800 +Subject: dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. + +From: Kuniyuki Iwashima + +commit ca43ccf41224b023fc290073d5603a755fd12eed upstream. + +Eric Dumazet pointed out [0] that when we call skb_set_owner_r() +for ipv6_pinfo.pktoptions, sk_rmem_schedule() has not been called, +resulting in a negative sk_forward_alloc. + +We add a new helper which clones a skb and sets its owner only +when sk_rmem_schedule() succeeds. + +Note that we move skb_set_owner_r() forward in (dccp|tcp)_v6_do_rcv() +because tcp_send_synack() can make sk_forward_alloc negative before +ipv6_opt_accepted() in the crossed SYN-ACK or self-connect() cases. + +[0]: https://lore.kernel.org/netdev/CANn89iK9oc20Jdi_41jb9URdF210r7d1Y-+uypbMSbOfY6jqrg@mail.gmail.com/ + +Fixes: 323fbd0edf3f ("net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()") +Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 13 +++++++++++++ + net/dccp/ipv6.c | 7 ++----- + net/ipv6/tcp_ipv6.c | 10 +++------- + 3 files changed, 18 insertions(+), 12 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2430,6 +2430,19 @@ static inline __must_check bool skb_set_ + return false; + } + ++static inline struct sk_buff *skb_clone_and_charge_r(struct sk_buff *skb, struct sock *sk) ++{ ++ skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC)); ++ if (skb) { ++ if (sk_rmem_schedule(sk, skb, skb->truesize)) { ++ skb_set_owner_r(skb, sk); ++ return skb; ++ } ++ __kfree_skb(skb); ++ } ++ return NULL; ++} ++ + static inline void skb_prepare_for_gro(struct sk_buff *skb) + { + if (skb->destructor != sock_wfree) { +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -551,11 +551,9 @@ static struct sock *dccp_v6_request_recv + *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL); + /* Clone pktoptions received with SYN, if we own the req */ + if (*own_req && ireq->pktopts) { +- newnp->pktoptions = skb_clone(ireq->pktopts, GFP_ATOMIC); ++ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk); + consume_skb(ireq->pktopts); + ireq->pktopts = NULL; +- if (newnp->pktoptions) +- skb_set_owner_r(newnp->pktoptions, newsk); + } + + return newsk; +@@ -615,7 +613,7 @@ static int dccp_v6_do_rcv(struct sock *s + --ANK (980728) + */ + if (np->rxopt.all) +- opt_skb = skb_clone(skb, GFP_ATOMIC); ++ opt_skb = skb_clone_and_charge_r(skb, sk); + + if (sk->sk_state == DCCP_OPEN) { /* Fast path */ + if (dccp_rcv_established(sk, skb, dccp_hdr(skb), skb->len)) +@@ -679,7 +677,6 @@ ipv6_pktoptions: + np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb)); + if (ipv6_opt_accepted(sk, opt_skb, + &DCCP_SKB_CB(opt_skb)->header.h6)) { +- skb_set_owner_r(opt_skb, sk); + memmove(IP6CB(opt_skb), + &DCCP_SKB_CB(opt_skb)->header.h6, + sizeof(struct inet6_skb_parm)); +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1388,14 +1388,11 @@ static struct sock *tcp_v6_syn_recv_sock + + /* Clone pktoptions received with SYN, if we own the req */ + if (ireq->pktopts) { +- newnp->pktoptions = skb_clone(ireq->pktopts, +- sk_gfp_mask(sk, GFP_ATOMIC)); ++ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk); + consume_skb(ireq->pktopts); + ireq->pktopts = NULL; +- if (newnp->pktoptions) { ++ if (newnp->pktoptions) + tcp_v6_restore_cb(newnp->pktoptions); +- skb_set_owner_r(newnp->pktoptions, newsk); +- } + } + } else { + if (!req_unhash && found_dup_sk) { +@@ -1467,7 +1464,7 @@ int tcp_v6_do_rcv(struct sock *sk, struc + --ANK (980728) + */ + if (np->rxopt.all) +- opt_skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC)); ++ opt_skb = skb_clone_and_charge_r(skb, sk); + + reason = SKB_DROP_REASON_NOT_SPECIFIED; + if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */ +@@ -1553,7 +1550,6 @@ ipv6_pktoptions: + if (np->repflow) + np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb)); + if (ipv6_opt_accepted(sk, opt_skb, &TCP_SKB_CB(opt_skb)->header.h6)) { +- skb_set_owner_r(opt_skb, sk); + tcp_v6_restore_cb(opt_skb); + opt_skb = xchg(&np->pktoptions, opt_skb); + } else { diff --git a/queue-6.1/igb-conditionalize-i2c-bit-banging-on-external-thermal-sensor-support.patch b/queue-6.1/igb-conditionalize-i2c-bit-banging-on-external-thermal-sensor-support.patch new file mode 100644 index 00000000000..0e4386058c3 --- /dev/null +++ b/queue-6.1/igb-conditionalize-i2c-bit-banging-on-external-thermal-sensor-support.patch @@ -0,0 +1,147 @@ +From 5d54cb1767e06025819daa6769e0f18dcbc60936 Mon Sep 17 00:00:00 2001 +From: Corinna Vinschen +Date: Tue, 14 Feb 2023 10:55:48 -0800 +Subject: igb: conditionalize I2C bit banging on external thermal sensor support + +From: Corinna Vinschen + +commit 5d54cb1767e06025819daa6769e0f18dcbc60936 upstream. + +Commit a97f8783a937 ("igb: unbreak I2C bit-banging on i350") introduced +code to change I2C settings to bit banging unconditionally. + +However, this patch introduced a regression: On an Intel S2600CWR +Server Board with three NICs: + +- 1x dual-port copper + Intel I350 Gigabit Network Connection [8086:1521] (rev 01) + fw 1.63, 0x80000dda + +- 2x quad-port SFP+ with copper SFP Avago ABCU-5700RZ + Intel I350 Gigabit Fiber Network Connection [8086:1522] (rev 01) + fw 1.52.0 + +the SFP NICs no longer get link at all. Reverting commit a97f8783a937 +or switching to the Intel out-of-tree driver both fix the problem. + +Per the igb out-of-tree driver, I2C bit banging on i350 depends on +support for an external thermal sensor (ETS). However, commit +a97f8783a937 added bit banging unconditionally. Additionally, the +out-of-tree driver always calls init_thermal_sensor_thresh on probe, +while our driver only calls init_thermal_sensor_thresh only in +igb_reset(), and only if an ETS is present, ignoring the internal +thermal sensor. The affected SFPs don't provide an ETS. Per Intel, +the behaviour is a result of i350 firmware requirements. + +This patch fixes the problem by aligning the behaviour to the +out-of-tree driver: + +- split igb_init_i2c() into two functions: + - igb_init_i2c() only performs the basic I2C initialization. + - igb_set_i2c_bb() makes sure that E1000_CTRL_I2C_ENA is set + and enables bit-banging. + +- igb_probe() only calls igb_set_i2c_bb() if an ETS is present. + +- igb_probe() calls init_thermal_sensor_thresh() unconditionally. + +- igb_reset() aligns its behaviour to igb_probe(), i. e., call + igb_set_i2c_bb() if an ETS is present and call + init_thermal_sensor_thresh() unconditionally. + +Fixes: a97f8783a937 ("igb: unbreak I2C bit-banging on i350") +Tested-by: Mateusz Palczewski +Co-developed-by: Jamie Bainbridge +Signed-off-by: Jamie Bainbridge +Signed-off-by: Corinna Vinschen +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230214185549.1306522-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_main.c | 42 +++++++++++++++++------ + 1 file changed, 32 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index d8e3048b93dd..b5b443883da9 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -2256,6 +2256,30 @@ static void igb_enable_mas(struct igb_adapter *adapter) + } + } + ++#ifdef CONFIG_IGB_HWMON ++/** ++ * igb_set_i2c_bb - Init I2C interface ++ * @hw: pointer to hardware structure ++ **/ ++static void igb_set_i2c_bb(struct e1000_hw *hw) ++{ ++ u32 ctrl_ext; ++ s32 i2cctl; ++ ++ ctrl_ext = rd32(E1000_CTRL_EXT); ++ ctrl_ext |= E1000_CTRL_I2C_ENA; ++ wr32(E1000_CTRL_EXT, ctrl_ext); ++ wrfl(); ++ ++ i2cctl = rd32(E1000_I2CPARAMS); ++ i2cctl |= E1000_I2CBB_EN ++ | E1000_I2C_CLK_OE_N ++ | E1000_I2C_DATA_OE_N; ++ wr32(E1000_I2CPARAMS, i2cctl); ++ wrfl(); ++} ++#endif ++ + void igb_reset(struct igb_adapter *adapter) + { + struct pci_dev *pdev = adapter->pdev; +@@ -2400,7 +2424,8 @@ void igb_reset(struct igb_adapter *adapter) + * interface. + */ + if (adapter->ets) +- mac->ops.init_thermal_sensor_thresh(hw); ++ igb_set_i2c_bb(hw); ++ mac->ops.init_thermal_sensor_thresh(hw); + } + } + #endif +@@ -3117,21 +3142,12 @@ static void igb_init_mas(struct igb_adapter *adapter) + **/ + static s32 igb_init_i2c(struct igb_adapter *adapter) + { +- struct e1000_hw *hw = &adapter->hw; + s32 status = 0; +- s32 i2cctl; + + /* I2C interface supported on i350 devices */ + if (adapter->hw.mac.type != e1000_i350) + return 0; + +- i2cctl = rd32(E1000_I2CPARAMS); +- i2cctl |= E1000_I2CBB_EN +- | E1000_I2C_CLK_OUT | E1000_I2C_CLK_OE_N +- | E1000_I2C_DATA_OUT | E1000_I2C_DATA_OE_N; +- wr32(E1000_I2CPARAMS, i2cctl); +- wrfl(); +- + /* Initialize the i2c bus which is controlled by the registers. + * This bus will use the i2c_algo_bit structure that implements + * the protocol through toggling of the 4 bits in the register. +@@ -3521,6 +3537,12 @@ static int igb_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + adapter->ets = true; + else + adapter->ets = false; ++ /* Only enable I2C bit banging if an external thermal ++ * sensor is supported. ++ */ ++ if (adapter->ets) ++ igb_set_i2c_bb(hw); ++ hw->mac.ops.init_thermal_sensor_thresh(hw); + if (igb_sysfs_init(adapter)) + dev_err(&pdev->dev, + "failed to allocate sysfs resources\n"); +-- +2.39.1 + diff --git a/queue-6.1/igb-fix-pps-input-and-output-using-3rd-and-4th-sdp.patch b/queue-6.1/igb-fix-pps-input-and-output-using-3rd-and-4th-sdp.patch new file mode 100644 index 00000000000..6852b974d3a --- /dev/null +++ b/queue-6.1/igb-fix-pps-input-and-output-using-3rd-and-4th-sdp.patch @@ -0,0 +1,75 @@ +From 207ce626add80ddd941f62fc2fe5d77586e0801b Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Mon, 13 Feb 2023 10:58:22 -0800 +Subject: igb: Fix PPS input and output using 3rd and 4th SDP + +From: Miroslav Lichvar + +commit 207ce626add80ddd941f62fc2fe5d77586e0801b upstream. + +Fix handling of the tsync interrupt to compare the pin number with +IGB_N_SDP instead of IGB_N_EXTTS/IGB_N_PEROUT and fix the indexing to +the perout array. + +Fixes: cf99c1dd7b77 ("igb: move PEROUT and EXTTS isr logic to separate functions") +Reported-by: Matt Corallo +Signed-off-by: Miroslav Lichvar +Reviewed-by: Jacob Keller +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230213185822.3960072-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_main.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6816,7 +6816,7 @@ static void igb_perout(struct igb_adapte + struct timespec64 ts; + u32 tsauxc; + +- if (pin < 0 || pin >= IGB_N_PEROUT) ++ if (pin < 0 || pin >= IGB_N_SDP) + return; + + spin_lock(&adapter->tmreg_lock); +@@ -6824,7 +6824,7 @@ static void igb_perout(struct igb_adapte + if (hw->mac.type == e1000_82580 || + hw->mac.type == e1000_i354 || + hw->mac.type == e1000_i350) { +- s64 ns = timespec64_to_ns(&adapter->perout[pin].period); ++ s64 ns = timespec64_to_ns(&adapter->perout[tsintr_tt].period); + u32 systiml, systimh, level_mask, level, rem; + u64 systim, now; + +@@ -6872,8 +6872,8 @@ static void igb_perout(struct igb_adapte + ts.tv_nsec = (u32)systim; + ts.tv_sec = ((u32)(systim >> 32)) & 0xFF; + } else { +- ts = timespec64_add(adapter->perout[pin].start, +- adapter->perout[pin].period); ++ ts = timespec64_add(adapter->perout[tsintr_tt].start, ++ adapter->perout[tsintr_tt].period); + } + + /* u32 conversion of tv_sec is safe until y2106 */ +@@ -6882,7 +6882,7 @@ static void igb_perout(struct igb_adapte + tsauxc = rd32(E1000_TSAUXC); + tsauxc |= TSAUXC_EN_TT0; + wr32(E1000_TSAUXC, tsauxc); +- adapter->perout[pin].start = ts; ++ adapter->perout[tsintr_tt].start = ts; + + spin_unlock(&adapter->tmreg_lock); + } +@@ -6896,7 +6896,7 @@ static void igb_extts(struct igb_adapter + struct ptp_clock_event event; + struct timespec64 ts; + +- if (pin < 0 || pin >= IGB_N_EXTTS) ++ if (pin < 0 || pin >= IGB_N_SDP) + return; + + if (hw->mac.type == e1000_82580 || diff --git a/queue-6.1/ipv6-fix-datagram-socket-connection-with-dscp.patch b/queue-6.1/ipv6-fix-datagram-socket-connection-with-dscp.patch new file mode 100644 index 00000000000..7365c22abc9 --- /dev/null +++ b/queue-6.1/ipv6-fix-datagram-socket-connection-with-dscp.patch @@ -0,0 +1,47 @@ +From e010ae08c71fda8be3d6bda256837795a0b3ea41 Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Wed, 8 Feb 2023 18:13:59 +0100 +Subject: ipv6: Fix datagram socket connection with DSCP. + +From: Guillaume Nault + +commit e010ae08c71fda8be3d6bda256837795a0b3ea41 upstream. + +Take into account the IPV6_TCLASS socket option (DSCP) in +ip6_datagram_flow_key_init(). Otherwise fib6_rule_match() can't +properly match the DSCP value, resulting in invalid route lookup. + +For example: + + ip route add unreachable table main 2001:db8::10/124 + + ip route add table 100 2001:db8::10/124 dev eth0 + ip -6 rule add dsfield 0x04 table 100 + + echo test | socat - UDP6:[2001:db8::11]:54321,ipv6-tclass=0x04 + +Without this patch, socat fails at connect() time ("No route to host") +because the fib-rule doesn't jump to table 100 and the lookup ends up +being done in the main table. + +Fixes: 2cc67cc731d9 ("[IPV6] ROUTE: Routing by Traffic Class.") +Signed-off-by: Guillaume Nault +Reviewed-by: Eric Dumazet +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/datagram.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -51,7 +51,7 @@ static void ip6_datagram_flow_key_init(s + fl6->flowi6_mark = sk->sk_mark; + fl6->fl6_dport = inet->inet_dport; + fl6->fl6_sport = inet->inet_sport; +- fl6->flowlabel = np->flow_label; ++ fl6->flowlabel = ip6_make_flowinfo(np->tclass, np->flow_label); + fl6->flowi6_uid = sk->sk_uid; + + if (!oif) diff --git a/queue-6.1/ipv6-fix-tcp-socket-connection-with-dscp.patch b/queue-6.1/ipv6-fix-tcp-socket-connection-with-dscp.patch new file mode 100644 index 00000000000..c6ff07c7724 --- /dev/null +++ b/queue-6.1/ipv6-fix-tcp-socket-connection-with-dscp.patch @@ -0,0 +1,46 @@ +From 8230680f36fd1525303d1117768c8852314c488c Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Wed, 8 Feb 2023 18:14:03 +0100 +Subject: ipv6: Fix tcp socket connection with DSCP. + +From: Guillaume Nault + +commit 8230680f36fd1525303d1117768c8852314c488c upstream. + +Take into account the IPV6_TCLASS socket option (DSCP) in +tcp_v6_connect(). Otherwise fib6_rule_match() can't properly +match the DSCP value, resulting in invalid route lookup. + +For example: + + ip route add unreachable table main 2001:db8::10/124 + + ip route add table 100 2001:db8::10/124 dev eth0 + ip -6 rule add dsfield 0x04 table 100 + + echo test | socat - TCP6:[2001:db8::11]:54321,ipv6-tclass=0x04 + +Without this patch, socat fails at connect() time ("No route to host") +because the fib-rule doesn't jump to table 100 and the lookup ends up +being done in the main table. + +Fixes: 2cc67cc731d9 ("[IPV6] ROUTE: Routing by Traffic Class.") +Signed-off-by: Guillaume Nault +Reviewed-by: Eric Dumazet +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/tcp_ipv6.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -272,6 +272,7 @@ static int tcp_v6_connect(struct sock *s + fl6.flowi6_proto = IPPROTO_TCP; + fl6.daddr = sk->sk_v6_daddr; + fl6.saddr = saddr ? *saddr : np->saddr; ++ fl6.flowlabel = ip6_make_flowinfo(np->tclass, np->flow_label); + fl6.flowi6_oif = sk->sk_bound_dev_if; + fl6.flowi6_mark = sk->sk_mark; + fl6.fl6_dport = usin->sin6_port; diff --git a/queue-6.1/ixgbe-add-double-of-vlan-header-when-computing-the-max-mtu.patch b/queue-6.1/ixgbe-add-double-of-vlan-header-when-computing-the-max-mtu.patch new file mode 100644 index 00000000000..3eb3f3f7f16 --- /dev/null +++ b/queue-6.1/ixgbe-add-double-of-vlan-header-when-computing-the-max-mtu.patch @@ -0,0 +1,46 @@ +From 0967bf837784a11c65d66060623a74e65211af0b Mon Sep 17 00:00:00 2001 +From: Jason Xing +Date: Thu, 9 Feb 2023 10:41:28 +0800 +Subject: ixgbe: add double of VLAN header when computing the max MTU + +From: Jason Xing + +commit 0967bf837784a11c65d66060623a74e65211af0b upstream. + +Include the second VLAN HLEN into account when computing the maximum +MTU size as other drivers do. + +Fixes: fabf1bce103a ("ixgbe: Prevent unsupported configurations with XDP") +Signed-off-by: Jason Xing +Reviewed-by: Alexander Duyck +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 ++ + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 +-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h +@@ -67,6 +67,8 @@ + #define IXGBE_RXBUFFER_4K 4096 + #define IXGBE_MAX_RXBUFFER 16384 /* largest size for a single descriptor */ + ++#define IXGBE_PKT_HDR_PAD (ETH_HLEN + ETH_FCS_LEN + (VLAN_HLEN * 2)) ++ + /* Attempt to maximize the headroom available for incoming frames. We + * use a 2K buffer for receives and need 1536/1534 to store the data for + * the frame. This leaves us with 512 bytes of room. From that we need +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -6801,8 +6801,7 @@ static int ixgbe_change_mtu(struct net_d + struct ixgbe_adapter *adapter = netdev_priv(netdev); + + if (ixgbe_enabled_xdp_adapter(adapter)) { +- int new_frame_size = new_mtu + ETH_HLEN + ETH_FCS_LEN + +- VLAN_HLEN; ++ int new_frame_size = new_mtu + IXGBE_PKT_HDR_PAD; + + if (new_frame_size > ixgbe_max_xdp_frame_size(adapter)) { + e_warn(probe, "Requested MTU size is not supported with XDP\n"); diff --git a/queue-6.1/mm-gup-add-folio-to-list-when-folio_isolate_lru-succeed.patch b/queue-6.1/mm-gup-add-folio-to-list-when-folio_isolate_lru-succeed.patch new file mode 100644 index 00000000000..63f94603f5a --- /dev/null +++ b/queue-6.1/mm-gup-add-folio-to-list-when-folio_isolate_lru-succeed.patch @@ -0,0 +1,39 @@ +From aa1e6a932ca652a50a5df458399724a80459f521 Mon Sep 17 00:00:00 2001 +From: Kuan-Ying Lee +Date: Tue, 31 Jan 2023 14:32:06 +0800 +Subject: mm/gup: add folio to list when folio_isolate_lru() succeed + +From: Kuan-Ying Lee + +commit aa1e6a932ca652a50a5df458399724a80459f521 upstream. + +If we call folio_isolate_lru() successfully, we will get return value 0. +We need to add this folio to the movable_pages_list. + +Link: https://lkml.kernel.org/r/20230131063206.28820-1-Kuan-Ying.Lee@mediatek.com +Fixes: 67e139b02d99 ("mm/gup.c: refactor check_and_migrate_movable_pages()") +Signed-off-by: Kuan-Ying Lee +Reviewed-by: Alistair Popple +Acked-by: David Hildenbrand +Reviewed-by: Baolin Wang +Cc: Andrew Yang +Cc: Chinwen Chang +Cc: John Hubbard +Cc: Matthias Brugger +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1978,7 +1978,7 @@ static unsigned long collect_longterm_un + drain_allow = false; + } + +- if (!folio_isolate_lru(folio)) ++ if (folio_isolate_lru(folio)) + continue; + + list_add_tail(&folio->lru, movable_page_list); diff --git a/queue-6.1/net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch b/queue-6.1/net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch new file mode 100644 index 00000000000..d4938f4612b --- /dev/null +++ b/queue-6.1/net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch @@ -0,0 +1,54 @@ +From fda6c89fe3d9aca073495a664e1d5aea28cd4377 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Mon, 13 Feb 2023 22:53:55 -0800 +Subject: net: mpls: fix stale pointer if allocation fails during device rename + +From: Jakub Kicinski + +commit fda6c89fe3d9aca073495a664e1d5aea28cd4377 upstream. + +lianhui reports that when MPLS fails to register the sysctl table +under new location (during device rename) the old pointers won't +get overwritten and may be freed again (double free). + +Handle this gracefully. The best option would be unregistering +the MPLS from the device completely on failure, but unfortunately +mpls_ifdown() can fail. So failing fully is also unreliable. + +Another option is to register the new table first then only +remove old one if the new one succeeds. That requires more +code, changes order of notifications and two tables may be +visible at the same time. + +sysctl point is not used in the rest of the code - set to NULL +on failures and skip unregister if already NULL. + +Reported-by: lianhui tang +Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mpls/af_mpls.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -1428,6 +1428,7 @@ static int mpls_dev_sysctl_register(stru + free: + kfree(table); + out: ++ mdev->sysctl = NULL; + return -ENOBUFS; + } + +@@ -1437,6 +1438,9 @@ static void mpls_dev_sysctl_unregister(s + struct net *net = dev_net(dev); + struct ctl_table *table; + ++ if (!mdev->sysctl) ++ return; ++ + table = mdev->sysctl->ctl_table_arg; + unregister_net_sysctl_table(mdev->sysctl); + kfree(table); diff --git a/queue-6.1/net-openvswitch-fix-possible-memory-leak-in-ovs_meter_cmd_set.patch b/queue-6.1/net-openvswitch-fix-possible-memory-leak-in-ovs_meter_cmd_set.patch new file mode 100644 index 00000000000..05dc2bee0e2 --- /dev/null +++ b/queue-6.1/net-openvswitch-fix-possible-memory-leak-in-ovs_meter_cmd_set.patch @@ -0,0 +1,42 @@ +From 2fa28f5c6fcbfc794340684f36d2581b4f2d20b5 Mon Sep 17 00:00:00 2001 +From: Hangyu Hua +Date: Fri, 10 Feb 2023 10:05:51 +0800 +Subject: net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() + +From: Hangyu Hua + +commit 2fa28f5c6fcbfc794340684f36d2581b4f2d20b5 upstream. + +old_meter needs to be free after it is detached regardless of whether +the new meter is successfully attached. + +Fixes: c7c4c44c9a95 ("net: openvswitch: expand the meters supported number") +Signed-off-by: Hangyu Hua +Acked-by: Eelco Chaudron +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/meter.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/openvswitch/meter.c ++++ b/net/openvswitch/meter.c +@@ -449,7 +449,7 @@ static int ovs_meter_cmd_set(struct sk_b + + err = attach_meter(meter_tbl, meter); + if (err) +- goto exit_unlock; ++ goto exit_free_old_meter; + + ovs_unlock(); + +@@ -472,6 +472,8 @@ static int ovs_meter_cmd_set(struct sk_b + genlmsg_end(reply, ovs_reply_header); + return genlmsg_reply(reply, info); + ++exit_free_old_meter: ++ ovs_meter_free(old_meter); + exit_unlock: + ovs_unlock(); + nlmsg_free(reply); diff --git a/queue-6.1/net-sched-act_ctinfo-use-percpu-stats.patch b/queue-6.1/net-sched-act_ctinfo-use-percpu-stats.patch new file mode 100644 index 00000000000..795620ce3a6 --- /dev/null +++ b/queue-6.1/net-sched-act_ctinfo-use-percpu-stats.patch @@ -0,0 +1,60 @@ +From 21c167aa0ba943a7cac2f6969814f83bb701666b Mon Sep 17 00:00:00 2001 +From: Pedro Tammela +Date: Fri, 10 Feb 2023 17:08:25 -0300 +Subject: net/sched: act_ctinfo: use percpu stats + +From: Pedro Tammela + +commit 21c167aa0ba943a7cac2f6969814f83bb701666b upstream. + +The tc action act_ctinfo was using shared stats, fix it to use percpu stats +since bstats_update() must be called with locks or with a percpu pointer argument. + +tdc results: +1..12 +ok 1 c826 - Add ctinfo action with default setting +ok 2 0286 - Add ctinfo action with dscp +ok 3 4938 - Add ctinfo action with valid cpmark and zone +ok 4 7593 - Add ctinfo action with drop control +ok 5 2961 - Replace ctinfo action zone and action control +ok 6 e567 - Delete ctinfo action with valid index +ok 7 6a91 - Delete ctinfo action with invalid index +ok 8 5232 - List ctinfo actions +ok 9 7702 - Flush ctinfo actions +ok 10 3201 - Add ctinfo action with duplicate index +ok 11 8295 - Add ctinfo action with invalid index +ok 12 3964 - Replace ctinfo action with invalid goto_chain control + +Fixes: 24ec483cec98 ("net: sched: Introduce act_ctinfo action") +Reviewed-by: Jamal Hadi Salim +Signed-off-by: Pedro Tammela +Reviewed-by: Larysa Zaremba +Link: https://lore.kernel.org/r/20230210200824.444856-1-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ctinfo.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/sched/act_ctinfo.c ++++ b/net/sched/act_ctinfo.c +@@ -91,7 +91,7 @@ static int tcf_ctinfo_act(struct sk_buff + cp = rcu_dereference_bh(ca->params); + + tcf_lastuse_update(&ca->tcf_tm); +- bstats_update(&ca->tcf_bstats, skb); ++ tcf_action_update_bstats(&ca->common, skb); + action = READ_ONCE(ca->tcf_action); + + wlen = skb_network_offset(skb); +@@ -210,8 +210,8 @@ static int tcf_ctinfo_init(struct net *n + index = actparm->index; + err = tcf_idr_check_alloc(tn, &index, a, bind); + if (!err) { +- ret = tcf_idr_create(tn, index, est, a, +- &act_ctinfo_ops, bind, false, flags); ++ ret = tcf_idr_create_from_flags(tn, index, est, a, ++ &act_ctinfo_ops, bind, flags); + if (ret) { + tcf_idr_cleanup(tn, index); + return ret; diff --git a/queue-6.1/net-stmmac-fix-order-of-dwmac5-flexpps-parametrization-sequence.patch b/queue-6.1/net-stmmac-fix-order-of-dwmac5-flexpps-parametrization-sequence.patch new file mode 100644 index 00000000000..c8a29fcaf17 --- /dev/null +++ b/queue-6.1/net-stmmac-fix-order-of-dwmac5-flexpps-parametrization-sequence.patch @@ -0,0 +1,61 @@ +From 4562c65ec852067c6196abdcf2d925f08841dcbc Mon Sep 17 00:00:00 2001 +From: Johannes Zink +Date: Fri, 10 Feb 2023 15:39:37 +0100 +Subject: net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence + +From: Johannes Zink + +commit 4562c65ec852067c6196abdcf2d925f08841dcbc upstream. + +So far changing the period by just setting new period values while +running did not work. + +The order as indicated by the publicly available reference manual of the i.MX8MP [1] +indicates a sequence: + + * initiate the programming sequence + * set the values for PPS period and start time + * start the pulse train generation. + +This is currently not used in dwmac5_flex_pps_config(), which instead does: + + * initiate the programming sequence and immediately start the pulse train generation + * set the values for PPS period and start time + +This caused the period values written not to take effect until the FlexPPS output was +disabled and re-enabled again. + +This patch fix the order and allows the period to be set immediately. + +[1] https://www.nxp.com/webapp/Download?colCode=IMX8MPRM + +Fixes: 9a8a02c9d46d ("net: stmmac: Add Flexible PPS support") +Signed-off-by: Johannes Zink +Link: https://lore.kernel.org/r/20230210143937.3427483-1-j.zink@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac5.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c +@@ -541,9 +541,9 @@ int dwmac5_flex_pps_config(void __iomem + return 0; + } + +- val |= PPSCMDx(index, 0x2); + val |= TRGTMODSELx(index, 0x2); + val |= PPSEN0; ++ writel(val, ioaddr + MAC_PPS_CONTROL); + + writel(cfg->start.tv_sec, ioaddr + MAC_PPSx_TARGET_TIME_SEC(index)); + +@@ -568,6 +568,7 @@ int dwmac5_flex_pps_config(void __iomem + writel(period - 1, ioaddr + MAC_PPSx_WIDTH(index)); + + /* Finally, activate it */ ++ val |= PPSCMDx(index, 0x2); + writel(val, ioaddr + MAC_PPS_CONTROL); + return 0; + } diff --git a/queue-6.1/net-stmmac-restrict-warning-on-disabling-dma-store-and-fwd-mode.patch b/queue-6.1/net-stmmac-restrict-warning-on-disabling-dma-store-and-fwd-mode.patch new file mode 100644 index 00000000000..3dcb0503d9d --- /dev/null +++ b/queue-6.1/net-stmmac-restrict-warning-on-disabling-dma-store-and-fwd-mode.patch @@ -0,0 +1,37 @@ +From 05d7623a892a9da62da0e714428e38f09e4a64d8 Mon Sep 17 00:00:00 2001 +From: Cristian Ciocaltea +Date: Fri, 10 Feb 2023 22:21:26 +0200 +Subject: net: stmmac: Restrict warning on disabling DMA store and fwd mode + +From: Cristian Ciocaltea + +commit 05d7623a892a9da62da0e714428e38f09e4a64d8 upstream. + +When setting 'snps,force_thresh_dma_mode' DT property, the following +warning is always emitted, regardless the status of force_sf_dma_mode: + +dwmac-starfive 10020000.ethernet: force_sf_dma_mode is ignored if force_thresh_dma_mode is set. + +Do not print the rather misleading message when DMA store and forward +mode is already disabled. + +Fixes: e2a240c7d3bc ("driver:net:stmmac: Disable DMA store and forward mode if platform data force_thresh_dma_mode is set.") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230210202126.877548-1-cristian.ciocaltea@collabora.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -559,7 +559,7 @@ stmmac_probe_config_dt(struct platform_d + dma_cfg->mixed_burst = of_property_read_bool(np, "snps,mixed-burst"); + + plat->force_thresh_dma_mode = of_property_read_bool(np, "snps,force_thresh_dma_mode"); +- if (plat->force_thresh_dma_mode) { ++ if (plat->force_thresh_dma_mode && plat->force_sf_dma_mode) { + plat->force_sf_dma_mode = 0; + dev_warn(&pdev->dev, + "force_sf_dma_mode is ignored if force_thresh_dma_mode is set.\n"); diff --git a/queue-6.1/net-usb-kalmia-don-t-pass-act_len-in-usb_bulk_msg-error-path.patch b/queue-6.1/net-usb-kalmia-don-t-pass-act_len-in-usb_bulk_msg-error-path.patch new file mode 100644 index 00000000000..5559fa8ff32 --- /dev/null +++ b/queue-6.1/net-usb-kalmia-don-t-pass-act_len-in-usb_bulk_msg-error-path.patch @@ -0,0 +1,54 @@ +From c68f345b7c425b38656e1791a0486769a8797016 Mon Sep 17 00:00:00 2001 +From: Miko Larsson +Date: Fri, 10 Feb 2023 09:13:44 +0100 +Subject: net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path + +From: Miko Larsson + +commit c68f345b7c425b38656e1791a0486769a8797016 upstream. + +syzbot reported that act_len in kalmia_send_init_packet() is +uninitialized when passing it to the first usb_bulk_msg error path. Jiri +Pirko noted that it's pointless to pass it in the error path, and that +the value that would be printed in the second error path would be the +value of act_len from the first call to usb_bulk_msg.[1] + +With this in mind, let's just not pass act_len to the usb_bulk_msg error +paths. + +1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/ + +Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730") +Reported-and-tested-by: syzbot+cd80c5ef5121bfe85b55@syzkaller.appspotmail.com +Signed-off-by: Miko Larsson +Reviewed-by: Alexander Duyck +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/kalmia.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/usb/kalmia.c ++++ b/drivers/net/usb/kalmia.c +@@ -65,8 +65,8 @@ kalmia_send_init_packet(struct usbnet *d + init_msg, init_msg_len, &act_len, KALMIA_USB_TIMEOUT); + if (status != 0) { + netdev_err(dev->net, +- "Error sending init packet. Status %i, length %i\n", +- status, act_len); ++ "Error sending init packet. Status %i\n", ++ status); + return status; + } + else if (act_len != init_msg_len) { +@@ -83,8 +83,8 @@ kalmia_send_init_packet(struct usbnet *d + + if (status != 0) + netdev_err(dev->net, +- "Error receiving init result. Status %i, length %i\n", +- status, act_len); ++ "Error receiving init result. Status %i\n", ++ status); + else if (act_len != expected_len) + netdev_err(dev->net, "Unexpected init result length: %i\n", + act_len); diff --git a/queue-6.1/net-use-a-bounce-buffer-for-copying-skb-mark.patch b/queue-6.1/net-use-a-bounce-buffer-for-copying-skb-mark.patch new file mode 100644 index 00000000000..48a63262905 --- /dev/null +++ b/queue-6.1/net-use-a-bounce-buffer-for-copying-skb-mark.patch @@ -0,0 +1,100 @@ +From 2558b8039d059342197610498c8749ad294adee5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 13 Feb 2023 16:00:59 +0000 +Subject: net: use a bounce buffer for copying skb->mark + +From: Eric Dumazet + +commit 2558b8039d059342197610498c8749ad294adee5 upstream. + +syzbot found arm64 builds would crash in sock_recv_mark() +when CONFIG_HARDENED_USERCOPY=y + +x86 and powerpc are not detecting the issue because +they define user_access_begin. +This will be handled in a different patch, +because a check_object_size() is missing. + +Only data from skb->cb[] can be copied directly to/from user space, +as explained in commit 79a8a642bf05 ("net: Whitelist +the skbuff_head_cache "cb" field") + +syzbot report was: +usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)! +------------[ cut here ]------------ +kernel BUG at mm/usercopy.c:102 ! +Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 +pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : usercopy_abort+0x90/0x94 mm/usercopy.c:90 +lr : usercopy_abort+0x90/0x94 mm/usercopy.c:90 +sp : ffff80000fb9b9a0 +x29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00 +x26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000 +x23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8 +x20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000 +x17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118 +x14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400 +x11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00 +x8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000 +x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 +x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c +Call trace: +usercopy_abort+0x90/0x94 mm/usercopy.c:90 +__check_heap_object+0xa8/0x100 mm/slub.c:4761 +check_heap_object mm/usercopy.c:196 [inline] +__check_object_size+0x208/0x6b8 mm/usercopy.c:251 +check_object_size include/linux/thread_info.h:199 [inline] +__copy_to_user include/linux/uaccess.h:115 [inline] +put_cmsg+0x408/0x464 net/core/scm.c:238 +sock_recv_mark net/socket.c:975 [inline] +__sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984 +sock_recv_cmsgs include/net/sock.h:2728 [inline] +packet_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482 +____sys_recvmsg+0x110/0x3a0 +___sys_recvmsg net/socket.c:2737 [inline] +__sys_recvmsg+0x194/0x210 net/socket.c:2767 +__do_sys_recvmsg net/socket.c:2777 [inline] +__se_sys_recvmsg net/socket.c:2774 [inline] +__arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774 +__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] +invoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52 +el0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142 +do_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193 +el0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637 +el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 +el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 +Code: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000) + +Fixes: 6fd1d51cfa25 ("net: SO_RCVMARK socket option for SO_MARK with recvmsg()") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Erin MacNeil +Reviewed-by: Alexander Lobakin +Link: https://lore.kernel.org/r/20230213160059.3829741-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -971,9 +971,12 @@ static inline void sock_recv_drops(struc + static void sock_recv_mark(struct msghdr *msg, struct sock *sk, + struct sk_buff *skb) + { +- if (sock_flag(sk, SOCK_RCVMARK) && skb) +- put_cmsg(msg, SOL_SOCKET, SO_MARK, sizeof(__u32), +- &skb->mark); ++ if (sock_flag(sk, SOCK_RCVMARK) && skb) { ++ /* We must use a bounce buffer for CONFIG_HARDENED_USERCOPY=y */ ++ __u32 mark = skb->mark; ++ ++ put_cmsg(msg, SOL_SOCKET, SO_MARK, sizeof(__u32), &mark); ++ } + } + + void __sock_recv_cmsgs(struct msghdr *msg, struct sock *sk, diff --git a/queue-6.1/series b/queue-6.1/series index c4ebf714bd6..ccc622a6391 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -86,3 +86,20 @@ net-ethernet-ti-am65-cpsw-add-rx-dma-channel-teardown-quirk.patch sctp-sctp_sock_filter-avoid-list_entry-on-possibly-empty-list.patch net-sched-tcindex-update-imperfect-hash-filters-respecting-rcu.patch ice-xsk-fix-cleaning-of-xdp_tx-frames.patch +dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch +net-usb-kalmia-don-t-pass-act_len-in-usb_bulk_msg-error-path.patch +net-sched-act_ctinfo-use-percpu-stats.patch +net-openvswitch-fix-possible-memory-leak-in-ovs_meter_cmd_set.patch +net-stmmac-fix-order-of-dwmac5-flexpps-parametrization-sequence.patch +bnxt_en-fix-mqprio-and-xdp-ring-checking-logic.patch +tracing-make-trace_define_field_ext-static.patch +net-stmmac-restrict-warning-on-disabling-dma-store-and-fwd-mode.patch +net-use-a-bounce-buffer-for-copying-skb-mark.patch +tipc-fix-kernel-warning-when-sending-syn-message.patch +net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch +igb-conditionalize-i2c-bit-banging-on-external-thermal-sensor-support.patch +igb-fix-pps-input-and-output-using-3rd-and-4th-sdp.patch +ixgbe-add-double-of-vlan-header-when-computing-the-max-mtu.patch +ipv6-fix-datagram-socket-connection-with-dscp.patch +ipv6-fix-tcp-socket-connection-with-dscp.patch +mm-gup-add-folio-to-list-when-folio_isolate_lru-succeed.patch diff --git a/queue-6.1/tipc-fix-kernel-warning-when-sending-syn-message.patch b/queue-6.1/tipc-fix-kernel-warning-when-sending-syn-message.patch new file mode 100644 index 00000000000..b8002bee596 --- /dev/null +++ b/queue-6.1/tipc-fix-kernel-warning-when-sending-syn-message.patch @@ -0,0 +1,68 @@ +From 11a4d6f67cf55883dc78e31c247d1903ed7feccc Mon Sep 17 00:00:00 2001 +From: Tung Nguyen +Date: Tue, 14 Feb 2023 01:26:06 +0000 +Subject: tipc: fix kernel warning when sending SYN message + +From: Tung Nguyen + +commit 11a4d6f67cf55883dc78e31c247d1903ed7feccc upstream. + +When sending a SYN message, this kernel stack trace is observed: + +... +[ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550 +... +[ 13.398494] Call Trace: +[ 13.398630] +[ 13.398630] ? __alloc_skb+0xed/0x1a0 +[ 13.398630] tipc_msg_build+0x12c/0x670 [tipc] +[ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290 +[ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc] +[ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc] +[ 13.398630] ? __local_bh_enable_ip+0x37/0x80 +[ 13.398630] tipc_connect+0x1d9/0x230 [tipc] +[ 13.398630] ? __sys_connect+0x9f/0xd0 +[ 13.398630] __sys_connect+0x9f/0xd0 +[ 13.398630] ? preempt_count_add+0x4d/0xa0 +[ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50 +[ 13.398630] __x64_sys_connect+0x16/0x20 +[ 13.398630] do_syscall_64+0x42/0x90 +[ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +It is because commit a41dad905e5a ("iov_iter: saner checks for attempt +to copy to/from iterator") has introduced sanity check for copying +from/to iov iterator. Lacking of copy direction from the iterator +viewpoint would lead to kernel stack trace like above. + +This commit fixes this issue by initializing the iov iterator with +the correct copy direction when sending SYN or ACK without data. + +Fixes: f25dcc7687d4 ("tipc: tipc ->sendmsg() conversion") +Reported-by: syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com +Acked-by: Jon Maloy +Signed-off-by: Tung Nguyen +Link: https://lore.kernel.org/r/20230214012606.5804-1-tung.q.nguyen@dektech.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2614,6 +2614,7 @@ static int tipc_connect(struct socket *s + /* Send a 'SYN-' to destination */ + m.msg_name = dest; + m.msg_namelen = destlen; ++ iov_iter_kvec(&m.msg_iter, ITER_SOURCE, NULL, 0, 0); + + /* If connect is in non-blocking case, set MSG_DONTWAIT to + * indicate send_msg() is never blocked. +@@ -2776,6 +2777,7 @@ static int tipc_accept(struct socket *so + __skb_queue_head(&new_sk->sk_receive_queue, buf); + skb_set_owner_r(buf, new_sk); + } ++ iov_iter_kvec(&m.msg_iter, ITER_SOURCE, NULL, 0, 0); + __tipc_sendstream(new_sock, &m, 0); + release_sock(new_sk); + exit: diff --git a/queue-6.1/tracing-make-trace_define_field_ext-static.patch b/queue-6.1/tracing-make-trace_define_field_ext-static.patch new file mode 100644 index 00000000000..2f90d32a2db --- /dev/null +++ b/queue-6.1/tracing-make-trace_define_field_ext-static.patch @@ -0,0 +1,38 @@ +From 70b5339caf847b8b6097b6dfab0c5a99b40713c8 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Sun, 12 Feb 2023 20:11:42 -0500 +Subject: tracing: Make trace_define_field_ext() static + +From: Steven Rostedt (Google) + +commit 70b5339caf847b8b6097b6dfab0c5a99b40713c8 upstream. + +trace_define_field_ext() is not used outside of trace_events.c, it should +be static. + +Link: https://lore.kernel.org/oe-kbuild-all/202302130750.679RaRog-lkp@intel.com/ + +Fixes: b6c7abd1c28a ("tracing: Fix TASK_COMM_LEN in trace event format file") +Reported-by: Reported-by: kernel test robot +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index 6a4696719297..6a942fa275c7 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -155,7 +155,7 @@ int trace_define_field(struct trace_event_call *call, const char *type, + } + EXPORT_SYMBOL_GPL(trace_define_field); + +-int trace_define_field_ext(struct trace_event_call *call, const char *type, ++static int trace_define_field_ext(struct trace_event_call *call, const char *type, + const char *name, int offset, int size, int is_signed, + int filter_type, int len) + { +-- +2.39.1 +