From: Greg Kroah-Hartman Date: Mon, 20 Jun 2022 11:56:59 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.200~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d9ca97233f571046185a585403f18515134babf1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: dma-direct-don-t-over-decrypt-memory.patch igc-enable-pcie-ptm.patch net-openvswitch-fix-misuse-of-the-cached-connection-on-tuple-changes.patch net-sched-act_police-more-accurate-mtu-policing.patch revert-pci-make-pci_enable_ptm-private.patch --- diff --git a/queue-5.10/dma-direct-don-t-over-decrypt-memory.patch b/queue-5.10/dma-direct-don-t-over-decrypt-memory.patch new file mode 100644 index 00000000000..c48a2361990 --- /dev/null +++ b/queue-5.10/dma-direct-don-t-over-decrypt-memory.patch @@ -0,0 +1,107 @@ +From 4a37f3dd9a83186cb88d44808ab35b78375082c9 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Fri, 20 May 2022 18:10:13 +0100 +Subject: dma-direct: don't over-decrypt memory + +From: Robin Murphy + +commit 4a37f3dd9a83186cb88d44808ab35b78375082c9 upstream. + +The original x86 sev_alloc() only called set_memory_decrypted() on +memory returned by alloc_pages_node(), so the page order calculation +fell out of that logic. However, the common dma-direct code has several +potential allocators, not all of which are guaranteed to round up the +underlying allocation to a power-of-two size, so carrying over that +calculation for the encryption/decryption size was a mistake. Fix it by +rounding to a *number* of pages, rather than an order. + +Until recently there was an even worse interaction with DMA_DIRECT_REMAP +where we could have ended up decrypting part of the next adjacent +vmalloc area, only averted by no architecture actually supporting both +configs at once. Don't ask how I found that one out... + +Fixes: c10f07aa27da ("dma/direct: Handle force decryption for DMA coherent buffers in common code") +Signed-off-by: Robin Murphy +Signed-off-by: Christoph Hellwig +Acked-by: David Rientjes +[ backport the functional change without all the prior refactoring ] +Signed-off-by: Robin Murphy +Signed-off-by: Greg Kroah-Hartman +--- + kernel/dma/direct.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +--- a/kernel/dma/direct.c ++++ b/kernel/dma/direct.c +@@ -188,7 +188,7 @@ void *dma_direct_alloc(struct device *de + goto out_free_pages; + if (force_dma_unencrypted(dev)) { + err = set_memory_decrypted((unsigned long)ret, +- 1 << get_order(size)); ++ PFN_UP(size)); + if (err) + goto out_free_pages; + } +@@ -210,7 +210,7 @@ void *dma_direct_alloc(struct device *de + ret = page_address(page); + if (force_dma_unencrypted(dev)) { + err = set_memory_decrypted((unsigned long)ret, +- 1 << get_order(size)); ++ PFN_UP(size)); + if (err) + goto out_free_pages; + } +@@ -231,7 +231,7 @@ done: + out_encrypt_pages: + if (force_dma_unencrypted(dev)) { + err = set_memory_encrypted((unsigned long)page_address(page), +- 1 << get_order(size)); ++ PFN_UP(size)); + /* If memory cannot be re-encrypted, it must be leaked */ + if (err) + return NULL; +@@ -244,8 +244,6 @@ out_free_pages: + void dma_direct_free(struct device *dev, size_t size, + void *cpu_addr, dma_addr_t dma_addr, unsigned long attrs) + { +- unsigned int page_order = get_order(size); +- + if ((attrs & DMA_ATTR_NO_KERNEL_MAPPING) && + !force_dma_unencrypted(dev)) { + /* cpu_addr is a struct page cookie, not a kernel address */ +@@ -266,7 +264,7 @@ void dma_direct_free(struct device *dev, + return; + + if (force_dma_unencrypted(dev)) +- set_memory_encrypted((unsigned long)cpu_addr, 1 << page_order); ++ set_memory_encrypted((unsigned long)cpu_addr, PFN_UP(size)); + + if (IS_ENABLED(CONFIG_DMA_REMAP) && is_vmalloc_addr(cpu_addr)) + vunmap(cpu_addr); +@@ -302,8 +300,7 @@ struct page *dma_direct_alloc_pages(stru + + ret = page_address(page); + if (force_dma_unencrypted(dev)) { +- if (set_memory_decrypted((unsigned long)ret, +- 1 << get_order(size))) ++ if (set_memory_decrypted((unsigned long)ret, PFN_UP(size))) + goto out_free_pages; + } + memset(ret, 0, size); +@@ -318,7 +315,6 @@ void dma_direct_free_pages(struct device + struct page *page, dma_addr_t dma_addr, + enum dma_data_direction dir) + { +- unsigned int page_order = get_order(size); + void *vaddr = page_address(page); + + /* If cpu_addr is not from an atomic pool, dma_free_from_pool() fails */ +@@ -327,7 +323,7 @@ void dma_direct_free_pages(struct device + return; + + if (force_dma_unencrypted(dev)) +- set_memory_encrypted((unsigned long)vaddr, 1 << page_order); ++ set_memory_encrypted((unsigned long)vaddr, PFN_UP(size)); + + dma_free_contiguous(dev, page, size); + } diff --git a/queue-5.10/igc-enable-pcie-ptm.patch b/queue-5.10/igc-enable-pcie-ptm.patch new file mode 100644 index 00000000000..52f5a257723 --- /dev/null +++ b/queue-5.10/igc-enable-pcie-ptm.patch @@ -0,0 +1,50 @@ +From 1b5d73fb862414106cf270a1a7300ce8ae77de83 Mon Sep 17 00:00:00 2001 +From: Vinicius Costa Gomes +Date: Mon, 26 Jul 2021 20:36:56 -0700 +Subject: igc: Enable PCIe PTM + +From: Vinicius Costa Gomes + +commit 1b5d73fb862414106cf270a1a7300ce8ae77de83 upstream. + +Enables PCIe PTM (Precision Time Measurement) support in the igc +driver. Notifies the PCI devices that PCIe PTM should be enabled. + +PCIe PTM is similar protocol to PTP (Precision Time Protocol) running +in the PCIe fabric, it allows devices to report time measurements from +their internal clocks and the correlation with the PCIe root clock. + +The i225 NIC exposes some registers that expose those time +measurements, those registers will be used, in later patches, to +implement the PTP_SYS_OFFSET_PRECISE ioctl(). + +Signed-off-by: Vinicius Costa Gomes +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Meng Tang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igc/igc_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -5041,6 +5042,10 @@ static int igc_probe(struct pci_dev *pde + + pci_enable_pcie_error_reporting(pdev); + ++ err = pci_enable_ptm(pdev, NULL); ++ if (err < 0) ++ dev_info(&pdev->dev, "PCIe PTM not supported by PCIe bus/controller\n"); ++ + pci_set_master(pdev); + + err = -ENOMEM; diff --git a/queue-5.10/net-openvswitch-fix-misuse-of-the-cached-connection-on-tuple-changes.patch b/queue-5.10/net-openvswitch-fix-misuse-of-the-cached-connection-on-tuple-changes.patch new file mode 100644 index 00000000000..da413a00245 --- /dev/null +++ b/queue-5.10/net-openvswitch-fix-misuse-of-the-cached-connection-on-tuple-changes.patch @@ -0,0 +1,107 @@ +From 2061ecfdf2350994e5b61c43e50e98a7a70e95ee Mon Sep 17 00:00:00 2001 +From: Ilya Maximets +Date: Tue, 7 Jun 2022 00:11:40 +0200 +Subject: net: openvswitch: fix misuse of the cached connection on tuple changes + +From: Ilya Maximets + +commit 2061ecfdf2350994e5b61c43e50e98a7a70e95ee upstream. + +If packet headers changed, the cached nfct is no longer relevant +for the packet and attempt to re-use it leads to the incorrect packet +classification. + +This issue is causing broken connectivity in OpenStack deployments +with OVS/OVN due to hairpin traffic being unexpectedly dropped. + +The setup has datapath flows with several conntrack actions and tuple +changes between them: + + actions:ct(commit,zone=8,mark=0/0x1,nat(src)), + set(eth(src=00:00:00:00:00:01,dst=00:00:00:00:00:06)), + set(ipv4(src=172.18.2.10,dst=192.168.100.6,ttl=62)), + ct(zone=8),recirc(0x4) + +After the first ct() action the packet headers are almost fully +re-written. The next ct() tries to re-use the existing nfct entry +and marks the packet as invalid, so it gets dropped later in the +pipeline. + +Clearing the cached conntrack entry whenever packet tuple is changed +to avoid the issue. + +The flow key should not be cleared though, because we should still +be able to match on the ct_state if the recirculation happens after +the tuple change but before the next ct() action. + +Cc: stable@vger.kernel.org +Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action") +Reported-by: Frode Nordahl +Link: https://mail.openvswitch.org/pipermail/ovs-discuss/2022-May/051829.html +Link: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967856 +Signed-off-by: Ilya Maximets +Link: https://lore.kernel.org/r/20220606221140.488984-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +[Backport to 5.10: minor rebase in ovs_ct_clear function. + This version also applicable to and tested on 5.4 and 4.19.] +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/actions.c | 6 ++++++ + net/openvswitch/conntrack.c | 3 ++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -372,6 +372,7 @@ static void set_ip_addr(struct sk_buff * + update_ip_l4_checksum(skb, nh, *addr, new_addr); + csum_replace4(&nh->check, *addr, new_addr); + skb_clear_hash(skb); ++ ovs_ct_clear(skb, NULL); + *addr = new_addr; + } + +@@ -419,6 +420,7 @@ static void set_ipv6_addr(struct sk_buff + update_ipv6_checksum(skb, l4_proto, addr, new_addr); + + skb_clear_hash(skb); ++ ovs_ct_clear(skb, NULL); + memcpy(addr, new_addr, sizeof(__be32[4])); + } + +@@ -659,6 +661,7 @@ static int set_nsh(struct sk_buff *skb, + static void set_tp_port(struct sk_buff *skb, __be16 *port, + __be16 new_port, __sum16 *check) + { ++ ovs_ct_clear(skb, NULL); + inet_proto_csum_replace2(check, skb, *port, new_port, false); + *port = new_port; + } +@@ -698,6 +701,7 @@ static int set_udp(struct sk_buff *skb, + uh->dest = dst; + flow_key->tp.src = src; + flow_key->tp.dst = dst; ++ ovs_ct_clear(skb, NULL); + } + + skb_clear_hash(skb); +@@ -760,6 +764,8 @@ static int set_sctp(struct sk_buff *skb, + sh->checksum = old_csum ^ old_correct_csum ^ new_csum; + + skb_clear_hash(skb); ++ ovs_ct_clear(skb, NULL); ++ + flow_key->tp.src = sh->source; + flow_key->tp.dst = sh->dest; + +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -1324,7 +1324,8 @@ int ovs_ct_clear(struct sk_buff *skb, st + if (skb_nfct(skb)) { + nf_conntrack_put(skb_nfct(skb)); + nf_ct_set(skb, NULL, IP_CT_UNTRACKED); +- ovs_ct_fill_key(skb, key); ++ if (key) ++ ovs_ct_fill_key(skb, key); + } + + return 0; diff --git a/queue-5.10/net-sched-act_police-more-accurate-mtu-policing.patch b/queue-5.10/net-sched-act_police-more-accurate-mtu-policing.patch new file mode 100644 index 00000000000..a56499e2ae3 --- /dev/null +++ b/queue-5.10/net-sched-act_police-more-accurate-mtu-policing.patch @@ -0,0 +1,136 @@ +From 4ddc844eb81da59bfb816d8d52089aba4e59e269 Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Thu, 10 Feb 2022 18:56:08 +0100 +Subject: net/sched: act_police: more accurate MTU policing + +From: Davide Caratti + +commit 4ddc844eb81da59bfb816d8d52089aba4e59e269 upstream. + +in current Linux, MTU policing does not take into account that packets at +the TC ingress have the L2 header pulled. Thus, the same TC police action +(with the same value of tcfp_mtu) behaves differently for ingress/egress. +In addition, the full GSO size is compared to tcfp_mtu: as a consequence, +the policer drops GSO packets even when individual segments have the L2 + +L3 + L4 + payload length below the configured valued of tcfp_mtu. + +Improve the accuracy of MTU policing as follows: + - account for mac_len for non-GSO packets at TC ingress. + - compare MTU threshold with the segmented size for GSO packets. +Also, add a kselftest that verifies the correct behavior. + +Signed-off-by: Davide Caratti +Reviewed-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +[dcaratti: fix conflicts due to lack of the following commits: + - commit 2ffe0395288a ("net/sched: act_police: add support for + packet-per-second policing") + - commit 53b61f29367d ("selftests: forwarding: Add tc-police tests for + packets per second")] +Link: https://lore.kernel.org/netdev/876d597a0ff55f6ba786f73c5a9fd9eb8d597a03.1644514748.git.dcaratti@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_police.c | 16 +++++- + tools/testing/selftests/net/forwarding/tc_police.sh | 52 ++++++++++++++++++++ + 2 files changed, 67 insertions(+), 1 deletion(-) + +--- a/net/sched/act_police.c ++++ b/net/sched/act_police.c +@@ -213,6 +213,20 @@ release_idr: + return err; + } + ++static bool tcf_police_mtu_check(struct sk_buff *skb, u32 limit) ++{ ++ u32 len; ++ ++ if (skb_is_gso(skb)) ++ return skb_gso_validate_mac_len(skb, limit); ++ ++ len = qdisc_pkt_len(skb); ++ if (skb_at_tc_ingress(skb)) ++ len += skb->mac_len; ++ ++ return len <= limit; ++} ++ + static int tcf_police_act(struct sk_buff *skb, const struct tc_action *a, + struct tcf_result *res) + { +@@ -235,7 +249,7 @@ static int tcf_police_act(struct sk_buff + goto inc_overlimits; + } + +- if (qdisc_pkt_len(skb) <= p->tcfp_mtu) { ++ if (tcf_police_mtu_check(skb, p->tcfp_mtu)) { + if (!p->rate_present) { + ret = p->tcfp_result; + goto end; +--- a/tools/testing/selftests/net/forwarding/tc_police.sh ++++ b/tools/testing/selftests/net/forwarding/tc_police.sh +@@ -35,6 +35,8 @@ ALL_TESTS=" + police_shared_test + police_rx_mirror_test + police_tx_mirror_test ++ police_mtu_rx_test ++ police_mtu_tx_test + " + NUM_NETIFS=6 + source tc_common.sh +@@ -290,6 +292,56 @@ police_tx_mirror_test() + police_mirror_common_test $rp2 egress "police tx and mirror" + } + ++police_mtu_common_test() { ++ RET=0 ++ ++ local test_name=$1; shift ++ local dev=$1; shift ++ local direction=$1; shift ++ ++ tc filter add dev $dev $direction protocol ip pref 1 handle 101 flower \ ++ dst_ip 198.51.100.1 ip_proto udp dst_port 54321 \ ++ action police mtu 1042 conform-exceed drop/ok ++ ++ # to count "conform" packets ++ tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \ ++ dst_ip 198.51.100.1 ip_proto udp dst_port 54321 \ ++ action drop ++ ++ mausezahn $h1 -a own -b $(mac_get $rp1) -A 192.0.2.1 -B 198.51.100.1 \ ++ -t udp sp=12345,dp=54321 -p 1001 -c 10 -q ++ ++ mausezahn $h1 -a own -b $(mac_get $rp1) -A 192.0.2.1 -B 198.51.100.1 \ ++ -t udp sp=12345,dp=54321 -p 1000 -c 3 -q ++ ++ tc_check_packets "dev $dev $direction" 101 13 ++ check_err $? "wrong packet counter" ++ ++ # "exceed" packets ++ local overlimits_t0=$(tc_rule_stats_get ${dev} 1 ${direction} .overlimits) ++ test ${overlimits_t0} = 10 ++ check_err $? "wrong overlimits, expected 10 got ${overlimits_t0}" ++ ++ # "conform" packets ++ tc_check_packets "dev $h2 ingress" 101 3 ++ check_err $? "forwarding error" ++ ++ tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower ++ tc filter del dev $dev $direction protocol ip pref 1 handle 101 flower ++ ++ log_test "$test_name" ++} ++ ++police_mtu_rx_test() ++{ ++ police_mtu_common_test "police mtu (rx)" $rp1 ingress ++} ++ ++police_mtu_tx_test() ++{ ++ police_mtu_common_test "police mtu (tx)" $rp2 egress ++} ++ + setup_prepare() + { + h1=${NETIFS[p1]} diff --git a/queue-5.10/revert-pci-make-pci_enable_ptm-private.patch b/queue-5.10/revert-pci-make-pci_enable_ptm-private.patch new file mode 100644 index 00000000000..088818cb655 --- /dev/null +++ b/queue-5.10/revert-pci-make-pci_enable_ptm-private.patch @@ -0,0 +1,56 @@ +From 1d71eb53e45187f58089d32b51e27784c791d90e Mon Sep 17 00:00:00 2001 +From: Vinicius Costa Gomes +Date: Mon, 26 Jul 2021 20:36:54 -0700 +Subject: Revert "PCI: Make pci_enable_ptm() private" + +From: Vinicius Costa Gomes + +commit 1d71eb53e45187f58089d32b51e27784c791d90e upstream. + +Make pci_enable_ptm() accessible from the drivers. + +Exposing this to the driver enables the driver to use the +'ptm_enabled' field of 'pci_dev' to check if PTM is enabled or not. + +This reverts commit ac6c26da29c1 ("PCI: Make pci_enable_ptm() private"). + +Signed-off-by: Vinicius Costa Gomes +Acked-by: Bjorn Helgaas +Signed-off-by: Tony Nguyen +Signed-off-by: Meng Tang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.h | 3 --- + include/linux/pci.h | 7 +++++++ + 2 files changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -585,11 +585,8 @@ static inline void pcie_ecrc_get_policy( + + #ifdef CONFIG_PCIE_PTM + void pci_ptm_init(struct pci_dev *dev); +-int pci_enable_ptm(struct pci_dev *dev, u8 *granularity); + #else + static inline void pci_ptm_init(struct pci_dev *dev) { } +-static inline int pci_enable_ptm(struct pci_dev *dev, u8 *granularity) +-{ return -EINVAL; } + #endif + + struct pci_dev_reset_methods { +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1599,6 +1599,13 @@ static inline bool pci_aer_available(voi + + bool pci_ats_disabled(void); + ++#ifdef CONFIG_PCIE_PTM ++int pci_enable_ptm(struct pci_dev *dev, u8 *granularity); ++#else ++static inline int pci_enable_ptm(struct pci_dev *dev, u8 *granularity) ++{ return -EINVAL; } ++#endif ++ + void pci_cfg_access_lock(struct pci_dev *dev); + bool pci_cfg_access_trylock(struct pci_dev *dev); + void pci_cfg_access_unlock(struct pci_dev *dev); diff --git a/queue-5.10/series b/queue-5.10/series index 25d89846cee..6de0b21624b 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -75,3 +75,8 @@ kvm-x86-account-a-variety-of-miscellaneous-allocations.patch kvm-svm-use-kzalloc-for-sev-ioctl-interfaces-to-prevent-kernel-data-leak.patch alsa-hda-realtek-fix-right-sounds-and-mute-micmute-leds-for-hp-machine.patch virtio-pci-remove-wrong-address-verification-in-vp_del_vqs.patch +dma-direct-don-t-over-decrypt-memory.patch +net-sched-act_police-more-accurate-mtu-policing.patch +net-openvswitch-fix-misuse-of-the-cached-connection-on-tuple-changes.patch +revert-pci-make-pci_enable_ptm-private.patch +igc-enable-pcie-ptm.patch