From: Greg Kroah-Hartman Date: Sat, 12 Aug 2023 18:20:49 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.14.323~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8cb81a6fbb7e94ef3bf5de5954f2264c323035d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch bpf-sockmap-fix-bug-that-strp_done-cannot-be-called.patch bpf-sockmap-fix-map-type-error-in-sock_map_del_link.patch dccp-fix-data-race-around-dp-dccps_mss_cache.patch drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch drm-rockchip-don-t-spam-logs-in-atomic-check.patch iavf-fix-potential-races-for-fdir-filters.patch ib-hfi1-fix-possible-panic-during-hotplug-remove.patch misdn-update-parameter-type-of-dsp_cmx_send.patch net-core-remove-unnecessary-frame_sz-check-in-bpf_xdp_adjust_tail.patch net-packet-annotate-data-races-around-tp-status.patch rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch rdma-umem-set-iova-in-odp-flow.patch selftests-forwarding-add-a-helper-to-skip-test-when-using-veth-pairs.patch selftests-forwarding-ethtool-skip-when-using-veth-pairs.patch selftests-forwarding-ethtool_extended_state-skip-when-using-veth-pairs.patch selftests-forwarding-skip-test-when-no-interfaces-are-specified.patch selftests-forwarding-switch-off-timeout.patch selftests-forwarding-tc_flower-relax-success-criterion.patch selftests-rseq-fix-build-with-undefined-__weak.patch tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch vlan-fix-vlan-0-memory-leak.patch wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch xsk-fix-refcount-underflow-in-error-path.patch --- diff --git a/queue-5.15/bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch b/queue-5.15/bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch new file mode 100644 index 00000000000..c93c5ec28e9 --- /dev/null +++ b/queue-5.15/bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch @@ -0,0 +1,82 @@ +From 01f4fd27087078c90a0e22860d1dfa2cd0510791 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Wed, 2 Aug 2023 19:43:20 +0800 +Subject: bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves + +From: Ziyang Xuan + +commit 01f4fd27087078c90a0e22860d1dfa2cd0510791 upstream. + +BUG_ON(!vlan_info) is triggered in unregister_vlan_dev() with +following testcase: + + # ip netns add ns1 + # ip netns exec ns1 ip link add bond0 type bond mode 0 + # ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2 + # ip netns exec ns1 ip link set bond_slave_1 master bond0 + # ip netns exec ns1 ip link add link bond_slave_1 name vlan10 type vlan id 10 protocol 802.1ad + # ip netns exec ns1 ip link add link bond0 name bond0_vlan10 type vlan id 10 protocol 802.1ad + # ip netns exec ns1 ip link set bond_slave_1 nomaster + # ip netns del ns1 + +The logical analysis of the problem is as follows: + +1. create ETH_P_8021AD protocol vlan10 for bond_slave_1: +register_vlan_dev() + vlan_vid_add() + vlan_info_alloc() + __vlan_vid_add() // add [ETH_P_8021AD, 10] vid to bond_slave_1 + +2. create ETH_P_8021AD protocol bond0_vlan10 for bond0: +register_vlan_dev() + vlan_vid_add() + __vlan_vid_add() + vlan_add_rx_filter_info() + if (!vlan_hw_filter_capable(dev, proto)) // condition established because bond0 without NETIF_F_HW_VLAN_STAG_FILTER + return 0; + + if (netif_device_present(dev)) + return dev->netdev_ops->ndo_vlan_rx_add_vid(dev, proto, vid); // will be never called + // The slaves of bond0 will not refer to the [ETH_P_8021AD, 10] vid. + +3. detach bond_slave_1 from bond0: +__bond_release_one() + vlan_vids_del_by_dev() + list_for_each_entry(vid_info, &vlan_info->vid_list, list) + vlan_vid_del(dev, vid_info->proto, vid_info->vid); + // bond_slave_1 [ETH_P_8021AD, 10] vid will be deleted. + // bond_slave_1->vlan_info will be assigned NULL. + +4. delete vlan10 during delete ns1: +default_device_exit_batch() + dev->rtnl_link_ops->dellink() // unregister_vlan_dev() for vlan10 + vlan_info = rtnl_dereference(real_dev->vlan_info); // real_dev of vlan10 is bond_slave_1 + BUG_ON(!vlan_info); // bond_slave_1->vlan_info is NULL now, bug is triggered!!! + +Add S-VLAN tag related features support to bond driver. So the bond driver +will always propagate the VLAN info to its slaves. + +Fixes: 8ad227ff89a7 ("net: vlan: add 802.1ad support") +Suggested-by: Ido Schimmel +Signed-off-by: Ziyang Xuan +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/20230802114320.4156068-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -5491,7 +5491,9 @@ void bond_setup(struct net_device *bond_ + + bond_dev->hw_features = BOND_VLAN_FEATURES | + NETIF_F_HW_VLAN_CTAG_RX | +- NETIF_F_HW_VLAN_CTAG_FILTER; ++ NETIF_F_HW_VLAN_CTAG_FILTER | ++ NETIF_F_HW_VLAN_STAG_RX | ++ NETIF_F_HW_VLAN_STAG_FILTER; + + bond_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL; + bond_dev->features |= bond_dev->hw_features; diff --git a/queue-5.15/bpf-sockmap-fix-bug-that-strp_done-cannot-be-called.patch b/queue-5.15/bpf-sockmap-fix-bug-that-strp_done-cannot-be-called.patch new file mode 100644 index 00000000000..5b45f93d11f --- /dev/null +++ b/queue-5.15/bpf-sockmap-fix-bug-that-strp_done-cannot-be-called.patch @@ -0,0 +1,71 @@ +From 809e4dc71a0f2b8d2836035d98603694fff11d5d Mon Sep 17 00:00:00 2001 +From: Xu Kuohai +Date: Fri, 4 Aug 2023 03:37:38 -0400 +Subject: bpf, sockmap: Fix bug that strp_done cannot be called + +From: Xu Kuohai + +commit 809e4dc71a0f2b8d2836035d98603694fff11d5d upstream. + +strp_done is only called when psock->progs.stream_parser is not NULL, +but stream_parser was set to NULL by sk_psock_stop_strp(), called +by sk_psock_drop() earlier. So, strp_done can never be called. + +Introduce SK_PSOCK_RX_ENABLED to mark whether there is strp on psock. +Change the condition for calling strp_done from judging whether +stream_parser is set to judging whether this flag is set. This flag is +only set once when strp_init() succeeds, and will never be cleared later. + +Fixes: c0d95d3380ee ("bpf, sockmap: Re-evaluate proto ops when psock is removed from sockmap") +Signed-off-by: Xu Kuohai +Reviewed-by: John Fastabend +Link: https://lore.kernel.org/r/20230804073740.194770-3-xukuohai@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skmsg.h | 1 + + net/core/skmsg.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/include/linux/skmsg.h ++++ b/include/linux/skmsg.h +@@ -63,6 +63,7 @@ struct sk_psock_progs { + + enum sk_psock_state_bits { + SK_PSOCK_TX_ENABLED, ++ SK_PSOCK_RX_STRP_ENABLED, + }; + + struct sk_psock_link { +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -1124,13 +1124,19 @@ static void sk_psock_strp_data_ready(str + + int sk_psock_init_strp(struct sock *sk, struct sk_psock *psock) + { ++ int ret; ++ + static const struct strp_callbacks cb = { + .rcv_msg = sk_psock_strp_read, + .read_sock_done = sk_psock_strp_read_done, + .parse_msg = sk_psock_strp_parse, + }; + +- return strp_init(&psock->strp, sk, &cb); ++ ret = strp_init(&psock->strp, sk, &cb); ++ if (!ret) ++ sk_psock_set_state(psock, SK_PSOCK_RX_STRP_ENABLED); ++ ++ return ret; + } + + void sk_psock_start_strp(struct sock *sk, struct sk_psock *psock) +@@ -1158,7 +1164,7 @@ void sk_psock_stop_strp(struct sock *sk, + static void sk_psock_done_strp(struct sk_psock *psock) + { + /* Parser has been stopped */ +- if (psock->progs.stream_parser) ++ if (sk_psock_test_state(psock, SK_PSOCK_RX_STRP_ENABLED)) + strp_done(&psock->strp); + } + #else diff --git a/queue-5.15/bpf-sockmap-fix-map-type-error-in-sock_map_del_link.patch b/queue-5.15/bpf-sockmap-fix-map-type-error-in-sock_map_del_link.patch new file mode 100644 index 00000000000..96bb1027deb --- /dev/null +++ b/queue-5.15/bpf-sockmap-fix-map-type-error-in-sock_map_del_link.patch @@ -0,0 +1,45 @@ +From 7e96ec0e6605b69bb21bbf6c0ff9051e656ec2b1 Mon Sep 17 00:00:00 2001 +From: Xu Kuohai +Date: Fri, 4 Aug 2023 03:37:37 -0400 +Subject: bpf, sockmap: Fix map type error in sock_map_del_link + +From: Xu Kuohai + +commit 7e96ec0e6605b69bb21bbf6c0ff9051e656ec2b1 upstream. + +sock_map_del_link() operates on both SOCKMAP and SOCKHASH, although +both types have member named "progs", the offset of "progs" member in +these two types is different, so "progs" should be accessed with the +real map type. + +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: Xu Kuohai +Reviewed-by: John Fastabend +Link: https://lore.kernel.org/r/20230804073740.194770-2-xukuohai@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock_map.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -148,13 +148,13 @@ static void sock_map_del_link(struct soc + list_for_each_entry_safe(link, tmp, &psock->link, list) { + if (link->link_raw == link_raw) { + struct bpf_map *map = link->map; +- struct bpf_stab *stab = container_of(map, struct bpf_stab, +- map); +- if (psock->saved_data_ready && stab->progs.stream_parser) ++ struct sk_psock_progs *progs = sock_map_progs(map); ++ ++ if (psock->saved_data_ready && progs->stream_parser) + strp_stop = true; +- if (psock->saved_data_ready && stab->progs.stream_verdict) ++ if (psock->saved_data_ready && progs->stream_verdict) + verdict_stop = true; +- if (psock->saved_data_ready && stab->progs.skb_verdict) ++ if (psock->saved_data_ready && progs->skb_verdict) + verdict_stop = true; + list_del(&link->list); + sk_psock_free_link(link); diff --git a/queue-5.15/dccp-fix-data-race-around-dp-dccps_mss_cache.patch b/queue-5.15/dccp-fix-data-race-around-dp-dccps_mss_cache.patch new file mode 100644 index 00000000000..5e01d2c3857 --- /dev/null +++ b/queue-5.15/dccp-fix-data-race-around-dp-dccps_mss_cache.patch @@ -0,0 +1,71 @@ +From a47e598fbd8617967e49d85c49c22f9fc642704c Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 3 Aug 2023 16:30:21 +0000 +Subject: dccp: fix data-race around dp->dccps_mss_cache + +From: Eric Dumazet + +commit a47e598fbd8617967e49d85c49c22f9fc642704c upstream. + +dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket. +Same thing in do_dccp_getsockopt(). + +Add READ_ONCE()/WRITE_ONCE() annotations, +and change dccp_sendmsg() to check again dccps_mss_cache +after socket is locked. + +Fixes: 7c657876b63c ("[DCCP]: Initial implementation") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230803163021.2958262-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/output.c | 2 +- + net/dccp/proto.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 3 deletions(-) + +--- a/net/dccp/output.c ++++ b/net/dccp/output.c +@@ -187,7 +187,7 @@ unsigned int dccp_sync_mss(struct sock * + + /* And store cached results */ + icsk->icsk_pmtu_cookie = pmtu; +- dp->dccps_mss_cache = cur_mps; ++ WRITE_ONCE(dp->dccps_mss_cache, cur_mps); + + return cur_mps; + } +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -639,7 +639,7 @@ static int do_dccp_getsockopt(struct soc + return dccp_getsockopt_service(sk, len, + (__be32 __user *)optval, optlen); + case DCCP_SOCKOPT_GET_CUR_MPS: +- val = dp->dccps_mss_cache; ++ val = READ_ONCE(dp->dccps_mss_cache); + break; + case DCCP_SOCKOPT_AVAILABLE_CCIDS: + return ccid_getsockopt_builtin_ccids(sk, len, optval, optlen); +@@ -748,7 +748,7 @@ int dccp_sendmsg(struct sock *sk, struct + + trace_dccp_probe(sk, len); + +- if (len > dp->dccps_mss_cache) ++ if (len > READ_ONCE(dp->dccps_mss_cache)) + return -EMSGSIZE; + + lock_sock(sk); +@@ -781,6 +781,12 @@ int dccp_sendmsg(struct sock *sk, struct + goto out_discard; + } + ++ /* We need to check dccps_mss_cache after socket is locked. */ ++ if (len > dp->dccps_mss_cache) { ++ rc = -EMSGSIZE; ++ goto out_discard; ++ } ++ + skb_reserve(skb, sk->sk_prot->max_header); + rc = memcpy_from_msg(skb_put(skb, len), msg, len); + if (rc != 0) diff --git a/queue-5.15/drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch b/queue-5.15/drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch new file mode 100644 index 00000000000..80bc2cdcdc5 --- /dev/null +++ b/queue-5.15/drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch @@ -0,0 +1,40 @@ +From 59eeb232940515590de513b997539ef495faca9a Mon Sep 17 00:00:00 2001 +From: Andrew Kanner +Date: Thu, 3 Aug 2023 20:59:48 +0200 +Subject: drivers: net: prevent tun_build_skb() to exceed the packet size limit + +From: Andrew Kanner + +commit 59eeb232940515590de513b997539ef495faca9a upstream. + +Using the syzkaller repro with reduced packet size it was discovered +that XDP_PACKET_HEADROOM is not checked in tun_can_build_skb(), +although pad may be incremented in tun_build_skb(). This may end up +with exceeding the PAGE_SIZE limit in tun_build_skb(). + +Jason Wang proposed to count XDP_PACKET_HEADROOM +always (e.g. without rcu_access_pointer(tun->xdp_prog)) in +tun_can_build_skb() since there's a window during which XDP program +might be attached between tun_can_build_skb() and tun_build_skb(). + +Fixes: 7df13219d757 ("tun: reserve extra headroom only when XDP is set") +Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a +Signed-off-by: Andrew Kanner +Link: https://lore.kernel.org/r/20230803185947.2379988-1-andrew.kanner@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1574,7 +1574,7 @@ static bool tun_can_build_skb(struct tun + if (zerocopy) + return false; + +- if (SKB_DATA_ALIGN(len + TUN_RX_PAD) + ++ if (SKB_DATA_ALIGN(len + TUN_RX_PAD + XDP_PACKET_HEADROOM) + + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE) + return false; + diff --git a/queue-5.15/drm-rockchip-don-t-spam-logs-in-atomic-check.patch b/queue-5.15/drm-rockchip-don-t-spam-logs-in-atomic-check.patch new file mode 100644 index 00000000000..b1d783ebbc0 --- /dev/null +++ b/queue-5.15/drm-rockchip-don-t-spam-logs-in-atomic-check.patch @@ -0,0 +1,70 @@ +From 43dae319b50fac075ad864f84501c703ef20eb2b Mon Sep 17 00:00:00 2001 +From: Daniel Stone +Date: Tue, 8 Aug 2023 11:44:05 +0100 +Subject: drm/rockchip: Don't spam logs in atomic check + +From: Daniel Stone + +commit 43dae319b50fac075ad864f84501c703ef20eb2b upstream. + +Userspace should not be able to trigger DRM_ERROR messages to spam the +logs; especially not through atomic commit parameters which are +completely legitimate for userspace to attempt. + +Signed-off-by: Daniel Stone +Fixes: 7707f7227f09 ("drm/rockchip: Add support for afbc") +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20230808104405.522493-1-daniels@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -820,12 +820,12 @@ static int vop_plane_atomic_check(struct + * need align with 2 pixel. + */ + if (fb->format->is_yuv && ((new_plane_state->src.x1 >> 16) % 2)) { +- DRM_ERROR("Invalid Source: Yuv format not support odd xpos\n"); ++ DRM_DEBUG_KMS("Invalid Source: Yuv format not support odd xpos\n"); + return -EINVAL; + } + + if (fb->format->is_yuv && new_plane_state->rotation & DRM_MODE_REFLECT_Y) { +- DRM_ERROR("Invalid Source: Yuv format does not support this rotation\n"); ++ DRM_DEBUG_KMS("Invalid Source: Yuv format does not support this rotation\n"); + return -EINVAL; + } + +@@ -833,7 +833,7 @@ static int vop_plane_atomic_check(struct + struct vop *vop = to_vop(crtc); + + if (!vop->data->afbc) { +- DRM_ERROR("vop does not support AFBC\n"); ++ DRM_DEBUG_KMS("vop does not support AFBC\n"); + return -EINVAL; + } + +@@ -842,15 +842,16 @@ static int vop_plane_atomic_check(struct + return ret; + + if (new_plane_state->src.x1 || new_plane_state->src.y1) { +- DRM_ERROR("AFBC does not support offset display, xpos=%d, ypos=%d, offset=%d\n", +- new_plane_state->src.x1, +- new_plane_state->src.y1, fb->offsets[0]); ++ DRM_DEBUG_KMS("AFBC does not support offset display, " \ ++ "xpos=%d, ypos=%d, offset=%d\n", ++ new_plane_state->src.x1, new_plane_state->src.y1, ++ fb->offsets[0]); + return -EINVAL; + } + + if (new_plane_state->rotation && new_plane_state->rotation != DRM_MODE_ROTATE_0) { +- DRM_ERROR("No rotation support in AFBC, rotation=%d\n", +- new_plane_state->rotation); ++ DRM_DEBUG_KMS("No rotation support in AFBC, rotation=%d\n", ++ new_plane_state->rotation); + return -EINVAL; + } + } diff --git a/queue-5.15/iavf-fix-potential-races-for-fdir-filters.patch b/queue-5.15/iavf-fix-potential-races-for-fdir-filters.patch new file mode 100644 index 00000000000..45caa949fc3 --- /dev/null +++ b/queue-5.15/iavf-fix-potential-races-for-fdir-filters.patch @@ -0,0 +1,92 @@ +From 0fb1d8eb234b6979d4981d2d385780dd7d8d9771 Mon Sep 17 00:00:00 2001 +From: Piotr Gardocki +Date: Mon, 7 Aug 2023 13:50:11 -0700 +Subject: iavf: fix potential races for FDIR filters + +From: Piotr Gardocki + +commit 0fb1d8eb234b6979d4981d2d385780dd7d8d9771 upstream. + +Add fdir_fltr_lock locking in unprotected places. + +The change in iavf_fdir_is_dup_fltr adds a spinlock around a loop which +iterates over all filters and looks for a duplicate. The filter can be +removed from list and freed from memory at the same time it's being +compared. All other places where filters are deleted are already +protected with spinlock. + +The remaining changes protect adapter->fdir_active_fltr variable so now +all its uses are under a spinlock. + +Fixes: 527691bf0682 ("iavf: Support IPv4 Flow Director filters") +Signed-off-by: Piotr Gardocki +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230807205011.3129224-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 5 ++++- + drivers/net/ethernet/intel/iavf/iavf_fdir.c | 11 ++++++++--- + 2 files changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -1387,14 +1387,15 @@ static int iavf_add_fdir_ethtool(struct + if (fsp->flow_type & FLOW_MAC_EXT) + return -EINVAL; + ++ spin_lock_bh(&adapter->fdir_fltr_lock); + if (adapter->fdir_active_fltr >= IAVF_MAX_FDIR_FILTERS) { ++ spin_unlock_bh(&adapter->fdir_fltr_lock); + dev_err(&adapter->pdev->dev, + "Unable to add Flow Director filter because VF reached the limit of max allowed filters (%u)\n", + IAVF_MAX_FDIR_FILTERS); + return -ENOSPC; + } + +- spin_lock_bh(&adapter->fdir_fltr_lock); + if (iavf_find_fdir_fltr_by_loc(adapter, fsp->location)) { + dev_err(&adapter->pdev->dev, "Failed to add Flow Director filter, it already exists\n"); + spin_unlock_bh(&adapter->fdir_fltr_lock); +@@ -1767,7 +1768,9 @@ static int iavf_get_rxnfc(struct net_dev + case ETHTOOL_GRXCLSRLCNT: + if (!FDIR_FLTR_SUPPORT(adapter)) + break; ++ spin_lock_bh(&adapter->fdir_fltr_lock); + cmd->rule_cnt = adapter->fdir_active_fltr; ++ spin_unlock_bh(&adapter->fdir_fltr_lock); + cmd->data = IAVF_MAX_FDIR_FILTERS; + ret = 0; + break; +--- a/drivers/net/ethernet/intel/iavf/iavf_fdir.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_fdir.c +@@ -722,7 +722,9 @@ void iavf_print_fdir_fltr(struct iavf_ad + bool iavf_fdir_is_dup_fltr(struct iavf_adapter *adapter, struct iavf_fdir_fltr *fltr) + { + struct iavf_fdir_fltr *tmp; ++ bool ret = false; + ++ spin_lock_bh(&adapter->fdir_fltr_lock); + list_for_each_entry(tmp, &adapter->fdir_list_head, list) { + if (tmp->flow_type != fltr->flow_type) + continue; +@@ -732,11 +734,14 @@ bool iavf_fdir_is_dup_fltr(struct iavf_a + !memcmp(&tmp->ip_data, &fltr->ip_data, + sizeof(fltr->ip_data)) && + !memcmp(&tmp->ext_data, &fltr->ext_data, +- sizeof(fltr->ext_data))) +- return true; ++ sizeof(fltr->ext_data))) { ++ ret = true; ++ break; ++ } + } ++ spin_unlock_bh(&adapter->fdir_fltr_lock); + +- return false; ++ return ret; + } + + /** diff --git a/queue-5.15/ib-hfi1-fix-possible-panic-during-hotplug-remove.patch b/queue-5.15/ib-hfi1-fix-possible-panic-during-hotplug-remove.patch new file mode 100644 index 00000000000..23bd46dc1a2 --- /dev/null +++ b/queue-5.15/ib-hfi1-fix-possible-panic-during-hotplug-remove.patch @@ -0,0 +1,33 @@ +From 4fdfaef71fced490835145631a795497646f4555 Mon Sep 17 00:00:00 2001 +From: Douglas Miller +Date: Wed, 2 Aug 2023 13:32:41 -0400 +Subject: IB/hfi1: Fix possible panic during hotplug remove + +From: Douglas Miller + +commit 4fdfaef71fced490835145631a795497646f4555 upstream. + +During hotplug remove it is possible that the update counters work +might be pending, and may run after memory has been freed. +Cancel the update counters work before freeing memory. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Signed-off-by: Douglas Miller +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/169099756100.3927190.15284930454106475280.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/chip.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -12306,6 +12306,7 @@ static void free_cntrs(struct hfi1_devda + + if (dd->synth_stats_timer.function) + del_timer_sync(&dd->synth_stats_timer); ++ cancel_work_sync(&dd->update_cntr_work); + ppd = (struct hfi1_pportdata *)(dd + 1); + for (i = 0; i < dd->num_pports; i++, ppd++) { + kfree(ppd->cntrs); diff --git a/queue-5.15/misdn-update-parameter-type-of-dsp_cmx_send.patch b/queue-5.15/misdn-update-parameter-type-of-dsp_cmx_send.patch new file mode 100644 index 00000000000..3692543af9f --- /dev/null +++ b/queue-5.15/misdn-update-parameter-type-of-dsp_cmx_send.patch @@ -0,0 +1,75 @@ +From 1696ec8654016dad3b1baf6c024303e584400453 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 2 Aug 2023 10:40:29 -0700 +Subject: mISDN: Update parameter type of dsp_cmx_send() + +From: Nathan Chancellor + +commit 1696ec8654016dad3b1baf6c024303e584400453 upstream. + +When booting a kernel with CONFIG_MISDN_DSP=y and CONFIG_CFI_CLANG=y, +there is a failure when dsp_cmx_send() is called indirectly from +call_timer_fn(): + + [ 0.371412] CFI failure at call_timer_fn+0x2f/0x150 (target: dsp_cmx_send+0x0/0x530; expected type: 0x92ada1e9) + +The function pointer prototype that call_timer_fn() expects is + + void (*fn)(struct timer_list *) + +whereas dsp_cmx_send() has a parameter type of 'void *', which causes +the control flow integrity checks to fail because the parameter types do +not match. + +Change dsp_cmx_send()'s parameter type to be 'struct timer_list' to +match the expected prototype. The argument is unused anyways, so this +has no functional change, aside from avoiding the CFI failure. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202308020936.58787e6c-oliver.sang@intel.com +Signed-off-by: Nathan Chancellor +Reviewed-by: Sami Tolvanen +Reviewed-by: Kees Cook +Fixes: e313ac12eb13 ("mISDN: Convert timers to use timer_setup()") +Link: https://lore.kernel.org/r/20230802-fix-dsp_cmx_send-cfi-failure-v1-1-2f2e79b0178d@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/mISDN/dsp.h | 2 +- + drivers/isdn/mISDN/dsp_cmx.c | 2 +- + drivers/isdn/mISDN/dsp_core.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/isdn/mISDN/dsp.h ++++ b/drivers/isdn/mISDN/dsp.h +@@ -247,7 +247,7 @@ extern void dsp_cmx_hardware(struct dsp_ + extern int dsp_cmx_conf(struct dsp *dsp, u32 conf_id); + extern void dsp_cmx_receive(struct dsp *dsp, struct sk_buff *skb); + extern void dsp_cmx_hdlc(struct dsp *dsp, struct sk_buff *skb); +-extern void dsp_cmx_send(void *arg); ++extern void dsp_cmx_send(struct timer_list *arg); + extern void dsp_cmx_transmit(struct dsp *dsp, struct sk_buff *skb); + extern int dsp_cmx_del_conf_member(struct dsp *dsp); + extern int dsp_cmx_del_conf(struct dsp_conf *conf); +--- a/drivers/isdn/mISDN/dsp_cmx.c ++++ b/drivers/isdn/mISDN/dsp_cmx.c +@@ -1625,7 +1625,7 @@ static u16 dsp_count; /* last sample cou + static int dsp_count_valid; /* if we have last sample count */ + + void +-dsp_cmx_send(void *arg) ++dsp_cmx_send(struct timer_list *arg) + { + struct dsp_conf *conf; + struct dsp_conf_member *member; +--- a/drivers/isdn/mISDN/dsp_core.c ++++ b/drivers/isdn/mISDN/dsp_core.c +@@ -1195,7 +1195,7 @@ static int __init dsp_init(void) + } + + /* set sample timer */ +- timer_setup(&dsp_spl_tl, (void *)dsp_cmx_send, 0); ++ timer_setup(&dsp_spl_tl, dsp_cmx_send, 0); + dsp_spl_tl.expires = jiffies + dsp_tics; + dsp_spl_jiffies = dsp_spl_tl.expires; + add_timer(&dsp_spl_tl); diff --git a/queue-5.15/net-core-remove-unnecessary-frame_sz-check-in-bpf_xdp_adjust_tail.patch b/queue-5.15/net-core-remove-unnecessary-frame_sz-check-in-bpf_xdp_adjust_tail.patch new file mode 100644 index 00000000000..62f6bdeb3a5 --- /dev/null +++ b/queue-5.15/net-core-remove-unnecessary-frame_sz-check-in-bpf_xdp_adjust_tail.patch @@ -0,0 +1,80 @@ +From d14eea09edf427fa36bd446f4a3271f99164202f Mon Sep 17 00:00:00 2001 +From: Andrew Kanner +Date: Thu, 3 Aug 2023 21:03:18 +0200 +Subject: net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail() + +From: Andrew Kanner + +commit d14eea09edf427fa36bd446f4a3271f99164202f upstream. + +Syzkaller reported the following issue: +======================================= +Too BIG xdp->frame_sz = 131072 +WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 + ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline] +WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 + bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103 +... +Call Trace: + + bpf_prog_4add87e5301a4105+0x1a/0x1c + __bpf_prog_run include/linux/filter.h:600 [inline] + bpf_prog_run_xdp include/linux/filter.h:775 [inline] + bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721 + netif_receive_generic_xdp net/core/dev.c:4807 [inline] + do_xdp_generic+0x35c/0x770 net/core/dev.c:4866 + tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919 + tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043 + call_write_iter include/linux/fs.h:1871 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x650/0xe40 fs/read_write.c:584 + ksys_write+0x12f/0x250 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +xdp->frame_sz > PAGE_SIZE check was introduced in commit c8741e2bfe87 +("xdp: Allow bpf_xdp_adjust_tail() to grow packet size"). But Jesper +Dangaard Brouer noted that after introducing the +xdp_init_buff() which all XDP driver use - it's safe to remove this +check. The original intend was to catch cases where XDP drivers have +not been updated to use xdp.frame_sz, but that is not longer a concern +(since xdp_init_buff). + +Running the initial syzkaller repro it was discovered that the +contiguous physical memory allocation is used for both xdp paths in +tun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also +stated by Jesper Dangaard Brouer that XDP can +work on higher order pages, as long as this is contiguous physical +memory (e.g. a page). + +Reported-and-tested-by: syzbot+f817490f5bd20541b90a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000774b9205f1d8a80d@google.com/T/ +Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a +Link: https://lore.kernel.org/all/20230725155403.796-1-andrew.kanner@gmail.com/T/ +Fixes: 43b5169d8355 ("net, xdp: Introduce xdp_init_buff utility routine") +Signed-off-by: Andrew Kanner +Acked-by: Jesper Dangaard Brouer +Acked-by: Jason Wang +Link: https://lore.kernel.org/r/20230803190316.2380231-1-andrew.kanner@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -3843,12 +3843,6 @@ BPF_CALL_2(bpf_xdp_adjust_tail, struct x + if (unlikely(data_end > data_hard_end)) + return -EINVAL; + +- /* ALL drivers MUST init xdp->frame_sz, chicken check below */ +- if (unlikely(xdp->frame_sz > PAGE_SIZE)) { +- WARN_ONCE(1, "Too BIG xdp->frame_sz = %d\n", xdp->frame_sz); +- return -EINVAL; +- } +- + if (unlikely(data_end < xdp->data + ETH_HLEN)) + return -EINVAL; + diff --git a/queue-5.15/net-packet-annotate-data-races-around-tp-status.patch b/queue-5.15/net-packet-annotate-data-races-around-tp-status.patch new file mode 100644 index 00000000000..d110606af37 --- /dev/null +++ b/queue-5.15/net-packet-annotate-data-races-around-tp-status.patch @@ -0,0 +1,125 @@ +From 8a9896177784063d01068293caea3f74f6830ff6 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 3 Aug 2023 14:56:00 +0000 +Subject: net/packet: annotate data-races around tp->status + +From: Eric Dumazet + +commit 8a9896177784063d01068293caea3f74f6830ff6 upstream. + +Another syzbot report [1] is about tp->status lockless reads +from __packet_get_status() + +[1] +BUG: KCSAN: data-race in __packet_rcv_has_room / __packet_set_status + +write to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 0: +__packet_set_status+0x78/0xa0 net/packet/af_packet.c:407 +tpacket_rcv+0x18bb/0x1a60 net/packet/af_packet.c:2483 +deliver_skb net/core/dev.c:2173 [inline] +__netif_receive_skb_core+0x408/0x1e80 net/core/dev.c:5337 +__netif_receive_skb_one_core net/core/dev.c:5491 [inline] +__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +invoke_softirq kernel/softirq.c:445 [inline] +__irq_exit_rcu+0x57/0xa0 kernel/softirq.c:650 +sysvec_apic_timer_interrupt+0x6d/0x80 arch/x86/kernel/apic/apic.c:1106 +asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645 +smpboot_thread_fn+0x33c/0x4a0 kernel/smpboot.c:112 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +read to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 1: +__packet_get_status net/packet/af_packet.c:436 [inline] +packet_lookup_frame net/packet/af_packet.c:524 [inline] +__tpacket_has_room net/packet/af_packet.c:1255 [inline] +__packet_rcv_has_room+0x3f9/0x450 net/packet/af_packet.c:1298 +tpacket_rcv+0x275/0x1a60 net/packet/af_packet.c:2285 +deliver_skb net/core/dev.c:2173 [inline] +dev_queue_xmit_nit+0x38a/0x5e0 net/core/dev.c:2243 +xmit_one net/core/dev.c:3574 [inline] +dev_hard_start_xmit+0xcf/0x3f0 net/core/dev.c:3594 +__dev_queue_xmit+0xefb/0x1d10 net/core/dev.c:4244 +dev_queue_xmit include/linux/netdevice.h:3088 [inline] +can_send+0x4eb/0x5d0 net/can/af_can.c:276 +bcm_can_tx+0x314/0x410 net/can/bcm.c:302 +bcm_tx_timeout_handler+0xdb/0x260 +__run_hrtimer kernel/time/hrtimer.c:1685 [inline] +__hrtimer_run_queues+0x217/0x700 kernel/time/hrtimer.c:1749 +hrtimer_run_softirq+0xd6/0x120 kernel/time/hrtimer.c:1766 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:939 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x0000000000000000 -> 0x0000000020000081 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 6.4.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 + +Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230803145600.2937518-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -368,18 +368,20 @@ static void __packet_set_status(struct p + { + union tpacket_uhdr h; + ++ /* WRITE_ONCE() are paired with READ_ONCE() in __packet_get_status */ ++ + h.raw = frame; + switch (po->tp_version) { + case TPACKET_V1: +- h.h1->tp_status = status; ++ WRITE_ONCE(h.h1->tp_status, status); + flush_dcache_page(pgv_to_page(&h.h1->tp_status)); + break; + case TPACKET_V2: +- h.h2->tp_status = status; ++ WRITE_ONCE(h.h2->tp_status, status); + flush_dcache_page(pgv_to_page(&h.h2->tp_status)); + break; + case TPACKET_V3: +- h.h3->tp_status = status; ++ WRITE_ONCE(h.h3->tp_status, status); + flush_dcache_page(pgv_to_page(&h.h3->tp_status)); + break; + default: +@@ -396,17 +398,19 @@ static int __packet_get_status(const str + + smp_rmb(); + ++ /* READ_ONCE() are paired with WRITE_ONCE() in __packet_set_status */ ++ + h.raw = frame; + switch (po->tp_version) { + case TPACKET_V1: + flush_dcache_page(pgv_to_page(&h.h1->tp_status)); +- return h.h1->tp_status; ++ return READ_ONCE(h.h1->tp_status); + case TPACKET_V2: + flush_dcache_page(pgv_to_page(&h.h2->tp_status)); +- return h.h2->tp_status; ++ return READ_ONCE(h.h2->tp_status); + case TPACKET_V3: + flush_dcache_page(pgv_to_page(&h.h3->tp_status)); +- return h.h3->tp_status; ++ return READ_ONCE(h.h3->tp_status); + default: + WARN(1, "TPACKET version not supported.\n"); + BUG(); diff --git a/queue-5.15/rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch b/queue-5.15/rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch new file mode 100644 index 00000000000..a7dae0d3290 --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch @@ -0,0 +1,33 @@ +From 5ac8480ae4d01f0ca5dfd561884424046df2478a Mon Sep 17 00:00:00 2001 +From: Kalesh AP +Date: Wed, 9 Aug 2023 21:44:36 -0700 +Subject: RDMA/bnxt_re: Fix error handling in probe failure path + +From: Kalesh AP + +commit 5ac8480ae4d01f0ca5dfd561884424046df2478a upstream. + +During bnxt_re_dev_init(), when bnxt_re_setup_chip_ctx() fails unregister +with L2 first before bailing out probe. + +Fixes: ae8637e13185 ("RDMA/bnxt_re: Add chip context to identify 57500 series") +Link: https://lore.kernel.org/r/1691642677-21369-3-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -1406,6 +1406,8 @@ static int bnxt_re_dev_init(struct bnxt_ + + rc = bnxt_re_setup_chip_ctx(rdev, wqe_mode); + if (rc) { ++ bnxt_unregister_dev(rdev->en_dev); ++ clear_bit(BNXT_RE_FLAG_NETDEV_REGISTERED, &rdev->flags); + ibdev_err(&rdev->ibdev, "Failed to get chip context\n"); + return -EINVAL; + } diff --git a/queue-5.15/rdma-umem-set-iova-in-odp-flow.patch b/queue-5.15/rdma-umem-set-iova-in-odp-flow.patch new file mode 100644 index 00000000000..c56a5467d8c --- /dev/null +++ b/queue-5.15/rdma-umem-set-iova-in-odp-flow.patch @@ -0,0 +1,63 @@ +From 186b169cf1e4be85aa212a893ea783a543400979 Mon Sep 17 00:00:00 2001 +From: Michael Guralnik +Date: Wed, 19 Jul 2023 12:02:41 +0300 +Subject: RDMA/umem: Set iova in ODP flow + +From: Michael Guralnik + +commit 186b169cf1e4be85aa212a893ea783a543400979 upstream. + +Fixing the ODP registration flow to set the iova correctly. +The calculation in ib_umem_num_dma_blocks() function assumes the iova of +the umem is set correctly. + +When iova is not set, the calculation in ib_umem_num_dma_blocks() is +equivalent to length/page_size, which is true only when memory is aligned. +For unaligned memory, iova must be set for the ALIGN() in the +ib_umem_num_dma_blocks() to take effect and return a correct value. + +mlx5_ib uses ib_umem_num_dma_blocks() to decide the mkey size to use for +the MR. Without this fix, when registering unaligned ODP MR, a wrong +size mkey might be chosen and this might cause the UMR to fail. + +UMR would fail over insufficient size to update the mkey translation: +infiniband mlx5_0: dump_cqe:273:(pid 0): dump error cqe +00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00000030: 00 00 00 00 0f 00 78 06 25 00 00 58 00 da ac d2 +infiniband mlx5_0: mlx5_ib_post_send_wait:806:(pid 20311): reg umr +failed (6) +infiniband mlx5_0: pagefault_real_mr:661:(pid 20311): Failed to update +mkey page tables + +Fixes: f0093fb1a7cb ("RDMA/mlx5: Move mlx5_ib_cont_pages() to the creation of the mlx5_ib_mr") +Fixes: a665aca89a41 ("RDMA/umem: Split ib_umem_num_pages() into ib_umem_num_dma_blocks()") +Signed-off-by: Artemy Kovalyov +Signed-off-by: Michael Guralnik +Link: https://lore.kernel.org/r/3d4be7ca2155bf239dd8c00a2d25974a92c26ab8.1689757344.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/umem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -85,6 +85,8 @@ unsigned long ib_umem_find_best_pgsz(str + dma_addr_t mask; + int i; + ++ umem->iova = va = virt; ++ + if (umem->is_odp) { + unsigned int page_size = BIT(to_ib_umem_odp(umem)->page_shift); + +@@ -100,7 +102,6 @@ unsigned long ib_umem_find_best_pgsz(str + */ + pgsz_bitmap &= GENMASK(BITS_PER_LONG - 1, PAGE_SHIFT); + +- umem->iova = va = virt; + /* The best result is the smallest page size that results in the minimum + * number of required pages. Compute the largest page size that could + * work based on VA address bits that don't change. diff --git a/queue-5.15/selftests-forwarding-add-a-helper-to-skip-test-when-using-veth-pairs.patch b/queue-5.15/selftests-forwarding-add-a-helper-to-skip-test-when-using-veth-pairs.patch new file mode 100644 index 00000000000..1a8534e8d8a --- /dev/null +++ b/queue-5.15/selftests-forwarding-add-a-helper-to-skip-test-when-using-veth-pairs.patch @@ -0,0 +1,46 @@ +From 66e131861ab7bf754b50813216f5c6885cd32d63 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 8 Aug 2023 17:14:52 +0300 +Subject: selftests: forwarding: Add a helper to skip test when using veth pairs + +From: Ido Schimmel + +commit 66e131861ab7bf754b50813216f5c6885cd32d63 upstream. + +A handful of tests require physical loopbacks to be used instead of veth +pairs. Add a helper that these tests will invoke in order to be skipped +when executed with veth pairs. + +Fixes: 64916b57c0b1 ("selftests: forwarding: Add speed and auto-negotiation test") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Tested-by: Mirsad Todorovac +Reviewed-by: Hangbin Liu +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20230808141503.4060661-7-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/forwarding/lib.sh | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/tools/testing/selftests/net/forwarding/lib.sh ++++ b/tools/testing/selftests/net/forwarding/lib.sh +@@ -122,6 +122,17 @@ check_ethtool_lanes_support() + fi + } + ++skip_on_veth() ++{ ++ local kind=$(ip -j -d link show dev ${NETIFS[p1]} | ++ jq -r '.[].linkinfo.info_kind') ++ ++ if [[ $kind == veth ]]; then ++ echo "SKIP: Test cannot be run with veth pairs" ++ exit $ksft_skip ++ fi ++} ++ + if [[ "$(id -u)" -ne 0 ]]; then + echo "SKIP: need root privileges" + exit $ksft_skip diff --git a/queue-5.15/selftests-forwarding-ethtool-skip-when-using-veth-pairs.patch b/queue-5.15/selftests-forwarding-ethtool-skip-when-using-veth-pairs.patch new file mode 100644 index 00000000000..1e87af77367 --- /dev/null +++ b/queue-5.15/selftests-forwarding-ethtool-skip-when-using-veth-pairs.patch @@ -0,0 +1,45 @@ +From 60a36e21915c31c0375d9427be9406aa8ce2ec34 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 8 Aug 2023 17:14:53 +0300 +Subject: selftests: forwarding: ethtool: Skip when using veth pairs + +From: Ido Schimmel + +commit 60a36e21915c31c0375d9427be9406aa8ce2ec34 upstream. + +Auto-negotiation cannot be tested with veth pairs, resulting in +failures: + + # ./ethtool.sh + TEST: force of same speed autoneg off [FAIL] + error in configuration. swp1 speed Not autoneg off + [...] + +Fix by skipping the test when used with veth pairs. + +Fixes: 64916b57c0b1 ("selftests: forwarding: Add speed and auto-negotiation test") +Reported-by: Mirsad Todorovac +Closes: https://lore.kernel.org/netdev/adc5e40d-d040-a65e-eb26-edf47dac5b02@alu.unizg.hr/ +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Tested-by: Mirsad Todorovac +Reviewed-by: Hangbin Liu +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20230808141503.4060661-8-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/forwarding/ethtool.sh | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/testing/selftests/net/forwarding/ethtool.sh ++++ b/tools/testing/selftests/net/forwarding/ethtool.sh +@@ -286,6 +286,8 @@ different_speeds_autoneg_on() + ethtool -s $h1 autoneg on + } + ++skip_on_veth ++ + trap cleanup EXIT + + setup_prepare diff --git a/queue-5.15/selftests-forwarding-ethtool_extended_state-skip-when-using-veth-pairs.patch b/queue-5.15/selftests-forwarding-ethtool_extended_state-skip-when-using-veth-pairs.patch new file mode 100644 index 00000000000..6b6d8684648 --- /dev/null +++ b/queue-5.15/selftests-forwarding-ethtool_extended_state-skip-when-using-veth-pairs.patch @@ -0,0 +1,45 @@ +From b3d9305e60d121dac20a77b6847c4cf14a4c0001 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 8 Aug 2023 17:14:54 +0300 +Subject: selftests: forwarding: ethtool_extended_state: Skip when using veth pairs + +From: Ido Schimmel + +commit b3d9305e60d121dac20a77b6847c4cf14a4c0001 upstream. + +Ethtool extended state cannot be tested with veth pairs, resulting in +failures: + + # ./ethtool_extended_state.sh + TEST: Autoneg, No partner detected [FAIL] + Expected "Autoneg", got "Link detected: no" + [...] + +Fix by skipping the test when used with veth pairs. + +Fixes: 7d10bcce98cd ("selftests: forwarding: Add tests for ethtool extended state") +Reported-by: Mirsad Todorovac +Closes: https://lore.kernel.org/netdev/adc5e40d-d040-a65e-eb26-edf47dac5b02@alu.unizg.hr/ +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Tested-by: Mirsad Todorovac +Reviewed-by: Hangbin Liu +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20230808141503.4060661-9-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/forwarding/ethtool_extended_state.sh | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/testing/selftests/net/forwarding/ethtool_extended_state.sh ++++ b/tools/testing/selftests/net/forwarding/ethtool_extended_state.sh +@@ -95,6 +95,8 @@ no_cable() + ip link set dev $swp3 down + } + ++skip_on_veth ++ + setup_prepare + + tests_run diff --git a/queue-5.15/selftests-forwarding-skip-test-when-no-interfaces-are-specified.patch b/queue-5.15/selftests-forwarding-skip-test-when-no-interfaces-are-specified.patch new file mode 100644 index 00000000000..64d7c551e82 --- /dev/null +++ b/queue-5.15/selftests-forwarding-skip-test-when-no-interfaces-are-specified.patch @@ -0,0 +1,68 @@ +From d72c83b1e4b4a36a38269c77a85ff52f95eb0d08 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 8 Aug 2023 17:14:47 +0300 +Subject: selftests: forwarding: Skip test when no interfaces are specified + +From: Ido Schimmel + +commit d72c83b1e4b4a36a38269c77a85ff52f95eb0d08 upstream. + +As explained in [1], the forwarding selftests are meant to be run with +either physical loopbacks or veth pairs. The interfaces are expected to +be specified in a user-provided forwarding.config file or as command +line arguments. By default, this file is not present and the tests fail: + + # make -C tools/testing/selftests TARGETS=net/forwarding run_tests + [...] + TAP version 13 + 1..102 + # timeout set to 45 + # selftests: net/forwarding: bridge_igmp.sh + # Command line is not complete. Try option "help" + # Failed to create netif + not ok 1 selftests: net/forwarding: bridge_igmp.sh # exit=1 + [...] + +Fix by skipping a test if interfaces are not provided either via the +configuration file or command line arguments. + + # make -C tools/testing/selftests TARGETS=net/forwarding run_tests + [...] + TAP version 13 + 1..102 + # timeout set to 45 + # selftests: net/forwarding: bridge_igmp.sh + # SKIP: Cannot create interface. Name not specified + ok 1 selftests: net/forwarding: bridge_igmp.sh # SKIP + +[1] tools/testing/selftests/net/forwarding/README + +Fixes: 81573b18f26d ("selftests/net/forwarding: add Makefile to install tests") +Reported-by: Mirsad Todorovac +Closes: https://lore.kernel.org/netdev/856d454e-f83c-20cf-e166-6dc06cbc1543@alu.unizg.hr/ +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Tested-by: Mirsad Todorovac +Reviewed-by: Hangbin Liu +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20230808141503.4060661-2-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/forwarding/lib.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/tools/testing/selftests/net/forwarding/lib.sh ++++ b/tools/testing/selftests/net/forwarding/lib.sh +@@ -185,6 +185,11 @@ create_netif_veth() + for ((i = 1; i <= NUM_NETIFS; ++i)); do + local j=$((i+1)) + ++ if [ -z ${NETIFS[p$i]} ]; then ++ echo "SKIP: Cannot create interface. Name not specified" ++ exit $ksft_skip ++ fi ++ + ip link show dev ${NETIFS[p$i]} &> /dev/null + if [[ $? -ne 0 ]]; then + ip link add ${NETIFS[p$i]} type veth \ diff --git a/queue-5.15/selftests-forwarding-switch-off-timeout.patch b/queue-5.15/selftests-forwarding-switch-off-timeout.patch new file mode 100644 index 00000000000..5729a42dc28 --- /dev/null +++ b/queue-5.15/selftests-forwarding-switch-off-timeout.patch @@ -0,0 +1,49 @@ +From 0529883ad102f6c04e19fb7018f31e1bda575bbe Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 8 Aug 2023 17:14:48 +0300 +Subject: selftests: forwarding: Switch off timeout + +From: Ido Schimmel + +commit 0529883ad102f6c04e19fb7018f31e1bda575bbe upstream. + +The default timeout for selftests is 45 seconds, but it is not enough +for forwarding selftests which can takes minutes to finish depending on +the number of tests cases: + + # make -C tools/testing/selftests TARGETS=net/forwarding run_tests + TAP version 13 + 1..102 + # timeout set to 45 + # selftests: net/forwarding: bridge_igmp.sh + # TEST: IGMPv2 report 239.10.10.10 [ OK ] + # TEST: IGMPv2 leave 239.10.10.10 [ OK ] + # TEST: IGMPv3 report 239.10.10.10 is_include [ OK ] + # TEST: IGMPv3 report 239.10.10.10 include -> allow [ OK ] + # + not ok 1 selftests: net/forwarding: bridge_igmp.sh # TIMEOUT 45 seconds + +Fix by switching off the timeout and setting it to 0. A similar change +was done for BPF selftests in commit 6fc5916cc256 ("selftests: bpf: +Switch off timeout"). + +Fixes: 81573b18f26d ("selftests/net/forwarding: add Makefile to install tests") +Reported-by: Mirsad Todorovac +Closes: https://lore.kernel.org/netdev/8d149f8c-818e-d141-a0ce-a6bae606bc22@alu.unizg.hr/ +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Tested-by: Mirsad Todorovac +Reviewed-by: Hangbin Liu +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20230808141503.4060661-3-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/forwarding/settings | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 tools/testing/selftests/net/forwarding/settings + +--- /dev/null ++++ b/tools/testing/selftests/net/forwarding/settings +@@ -0,0 +1 @@ ++timeout=0 diff --git a/queue-5.15/selftests-forwarding-tc_flower-relax-success-criterion.patch b/queue-5.15/selftests-forwarding-tc_flower-relax-success-criterion.patch new file mode 100644 index 00000000000..57a1c300f46 --- /dev/null +++ b/queue-5.15/selftests-forwarding-tc_flower-relax-success-criterion.patch @@ -0,0 +1,56 @@ +From 9ee37e53e7687654b487fc94e82569377272a7a8 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 8 Aug 2023 17:14:58 +0300 +Subject: selftests: forwarding: tc_flower: Relax success criterion + +From: Ido Schimmel + +commit 9ee37e53e7687654b487fc94e82569377272a7a8 upstream. + +The test checks that filters that match on source or destination MAC +were only hit once. A host can send more than one packet with a given +source or destination MAC, resulting in failures. + +Fix by relaxing the success criterion and instead check that the filters +were not hit zero times. Using tc_check_at_least_x_packets() is also an +option, but it is not available in older kernels. + +Fixes: 07e5c75184a1 ("selftests: forwarding: Introduce tc flower matching tests") +Reported-by: Mirsad Todorovac +Closes: https://lore.kernel.org/netdev/adc5e40d-d040-a65e-eb26-edf47dac5b02@alu.unizg.hr/ +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Tested-by: Mirsad Todorovac +Reviewed-by: Hangbin Liu +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20230808141503.4060661-13-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/forwarding/tc_flower.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/net/forwarding/tc_flower.sh ++++ b/tools/testing/selftests/net/forwarding/tc_flower.sh +@@ -52,8 +52,8 @@ match_dst_mac_test() + tc_check_packets "dev $h2 ingress" 101 1 + check_fail $? "Matched on a wrong filter" + +- tc_check_packets "dev $h2 ingress" 102 1 +- check_err $? "Did not match on correct filter" ++ tc_check_packets "dev $h2 ingress" 102 0 ++ check_fail $? "Did not match on correct filter" + + tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower + tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower +@@ -78,8 +78,8 @@ match_src_mac_test() + tc_check_packets "dev $h2 ingress" 101 1 + check_fail $? "Matched on a wrong filter" + +- tc_check_packets "dev $h2 ingress" 102 1 +- check_err $? "Did not match on correct filter" ++ tc_check_packets "dev $h2 ingress" 102 0 ++ check_fail $? "Did not match on correct filter" + + tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower + tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower diff --git a/queue-5.15/selftests-rseq-fix-build-with-undefined-__weak.patch b/queue-5.15/selftests-rseq-fix-build-with-undefined-__weak.patch new file mode 100644 index 00000000000..19cc5a3b4e1 --- /dev/null +++ b/queue-5.15/selftests-rseq-fix-build-with-undefined-__weak.patch @@ -0,0 +1,64 @@ +From d5ad9aae13dcced333c1a7816ff0a4fbbb052466 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Fri, 4 Aug 2023 20:22:11 +0100 +Subject: selftests/rseq: Fix build with undefined __weak + +From: Mark Brown + +commit d5ad9aae13dcced333c1a7816ff0a4fbbb052466 upstream. + +Commit 3bcbc20942db ("selftests/rseq: Play nice with binaries statically +linked against glibc 2.35+") which is now in Linus' tree introduced uses +of __weak but did nothing to ensure that a definition is provided for it +resulting in build failures for the rseq tests: + +rseq.c:41:1: error: unknown type name '__weak' +__weak ptrdiff_t __rseq_offset; +^ +rseq.c:41:17: error: expected ';' after top level declarator +__weak ptrdiff_t __rseq_offset; + ^ + ; +rseq.c:42:1: error: unknown type name '__weak' +__weak unsigned int __rseq_size; +^ +rseq.c:43:1: error: unknown type name '__weak' +__weak unsigned int __rseq_flags; + +Fix this by using the definition from tools/include compiler.h. + +Fixes: 3bcbc20942db ("selftests/rseq: Play nice with binaries statically linked against glibc 2.35+") +Signed-off-by: Mark Brown +Message-Id: <20230804-kselftest-rseq-build-v1-1-015830b66aa9@kernel.org> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/rseq/Makefile | 4 +++- + tools/testing/selftests/rseq/rseq.c | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/rseq/Makefile ++++ b/tools/testing/selftests/rseq/Makefile +@@ -4,8 +4,10 @@ ifneq ($(shell $(CC) --version 2>&1 | he + CLANG_FLAGS += -no-integrated-as + endif + ++top_srcdir = ../../../.. ++ + CFLAGS += -O2 -Wall -g -I./ -I../../../../usr/include/ -L$(OUTPUT) -Wl,-rpath=./ \ +- $(CLANG_FLAGS) ++ $(CLANG_FLAGS) -I$(top_srcdir)/tools/include + LDLIBS += -lpthread -ldl + + # Own dependencies because we only want to build against 1st prerequisite, but +--- a/tools/testing/selftests/rseq/rseq.c ++++ b/tools/testing/selftests/rseq/rseq.c +@@ -29,6 +29,8 @@ + #include + #include + ++#include ++ + #include "../kselftest.h" + #include "rseq.h" + diff --git a/queue-5.15/series b/queue-5.15/series index 4022f5e96d6..579a5665996 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -33,3 +33,27 @@ x86-speculation-add-cpu_show_gds-prototype.patch x86-move-gds_ucode_mitigated-declaration-to-header.patch drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch netfilter-nf_tables-don-t-skip-expired-elements-during-walk.patch +selftests-rseq-fix-build-with-undefined-__weak.patch +selftests-forwarding-add-a-helper-to-skip-test-when-using-veth-pairs.patch +selftests-forwarding-ethtool-skip-when-using-veth-pairs.patch +selftests-forwarding-ethtool_extended_state-skip-when-using-veth-pairs.patch +selftests-forwarding-skip-test-when-no-interfaces-are-specified.patch +selftests-forwarding-switch-off-timeout.patch +selftests-forwarding-tc_flower-relax-success-criterion.patch +net-core-remove-unnecessary-frame_sz-check-in-bpf_xdp_adjust_tail.patch +bpf-sockmap-fix-map-type-error-in-sock_map_del_link.patch +bpf-sockmap-fix-bug-that-strp_done-cannot-be-called.patch +misdn-update-parameter-type-of-dsp_cmx_send.patch +net-packet-annotate-data-races-around-tp-status.patch +tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch +vlan-fix-vlan-0-memory-leak.patch +xsk-fix-refcount-underflow-in-error-path.patch +bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch +dccp-fix-data-race-around-dp-dccps_mss_cache.patch +drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch +iavf-fix-potential-races-for-fdir-filters.patch +ib-hfi1-fix-possible-panic-during-hotplug-remove.patch +drm-rockchip-don-t-spam-logs-in-atomic-check.patch +wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch +rdma-umem-set-iova-in-odp-flow.patch +rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch diff --git a/queue-5.15/tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch b/queue-5.15/tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch new file mode 100644 index 00000000000..e291f698531 --- /dev/null +++ b/queue-5.15/tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch @@ -0,0 +1,48 @@ +From 6a7ac3d20593865209dceb554d8b3f094c6bd940 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 3 Aug 2023 17:26:49 +0200 +Subject: tunnels: fix kasan splat when generating ipv4 pmtu error + +From: Florian Westphal + +commit 6a7ac3d20593865209dceb554d8b3f094c6bd940 upstream. + +If we try to emit an icmp error in response to a nonliner skb, we get + +BUG: KASAN: slab-out-of-bounds in ip_compute_csum+0x134/0x220 +Read of size 4 at addr ffff88811c50db00 by task iperf3/1691 +CPU: 2 PID: 1691 Comm: iperf3 Not tainted 6.5.0-rc3+ #309 +[..] + kasan_report+0x105/0x140 + ip_compute_csum+0x134/0x220 + iptunnel_pmtud_build_icmp+0x554/0x1020 + skb_tunnel_check_pmtu+0x513/0xb80 + vxlan_xmit_one+0x139e/0x2ef0 + vxlan_xmit+0x1867/0x2760 + dev_hard_start_xmit+0x1ee/0x4f0 + br_dev_queue_push_xmit+0x4d1/0x660 + [..] + +ip_compute_csum() cannot deal with nonlinear skbs, so avoid it. +After this change, splat is gone and iperf3 is no longer stuck. + +Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets") +Signed-off-by: Florian Westphal +Link: https://lore.kernel.org/r/20230803152653.29535-2-fw@strlen.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -224,7 +224,7 @@ static int iptunnel_pmtud_build_icmp(str + .un.frag.__unused = 0, + .un.frag.mtu = htons(mtu), + }; +- icmph->checksum = ip_compute_csum(icmph, len); ++ icmph->checksum = csum_fold(skb_checksum(skb, 0, len, 0)); + skb_reset_transport_header(skb); + + niph = skb_push(skb, sizeof(*niph)); diff --git a/queue-5.15/vlan-fix-vlan-0-memory-leak.patch b/queue-5.15/vlan-fix-vlan-0-memory-leak.patch new file mode 100644 index 00000000000..f00c108990f --- /dev/null +++ b/queue-5.15/vlan-fix-vlan-0-memory-leak.patch @@ -0,0 +1,90 @@ +From 718cb09aaa6fa78cc8124e9517efbc6c92665384 Mon Sep 17 00:00:00 2001 +From: Vlad Buslov +Date: Tue, 8 Aug 2023 11:35:21 +0200 +Subject: vlan: Fix VLAN 0 memory leak + +From: Vlad Buslov + +commit 718cb09aaa6fa78cc8124e9517efbc6c92665384 upstream. + +The referenced commit intended to fix memleak of VLAN 0 that is implicitly +created on devices with NETIF_F_HW_VLAN_CTAG_FILTER feature. However, it +doesn't take into account that the feature can be re-set during the +netdevice lifetime which will cause memory leak if feature is disabled +during the device deletion as illustrated by [0]. Fix the leak by +unconditionally deleting VLAN 0 on NETDEV_DOWN event. + +[0]: +> modprobe 8021q +> ip l set dev eth2 up +> ethtool -K eth2 rx-vlan-filter off +> modprobe -r mlx5_ib +> modprobe -r mlx5_core +> cat /sys/kernel/debug/kmemleak +unreferenced object 0xffff888103dcd900 (size 256): + comm "ip", pid 1490, jiffies 4294907305 (age 325.364s) + hex dump (first 32 bytes): + 00 80 5d 03 81 88 ff ff 00 00 00 00 00 00 00 00 ..]............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000899f3bb9>] kmalloc_trace+0x25/0x80 + [<000000002889a7a2>] vlan_vid_add+0xa0/0x210 + [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q] + [<000000009a0716b1>] notifier_call_chain+0x35/0xb0 + [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0 + [<0000000053d2b05d>] dev_change_flags+0x4d/0x60 + [<00000000982807e9>] do_setlink+0x28d/0x10a0 + [<0000000058c1be00>] __rtnl_newlink+0x545/0x980 + [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70 + [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390 + [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100 + [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0 + [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0 + [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60 + [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200 + [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0 +unreferenced object 0xffff88813354fde0 (size 32): + comm "ip", pid 1490, jiffies 4294907305 (age 325.364s) + hex dump (first 32 bytes): + a0 d9 dc 03 81 88 ff ff a0 d9 dc 03 81 88 ff ff ................ + 81 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000899f3bb9>] kmalloc_trace+0x25/0x80 + [<000000002da64724>] vlan_vid_add+0xdf/0x210 + [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q] + [<000000009a0716b1>] notifier_call_chain+0x35/0xb0 + [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0 + [<0000000053d2b05d>] dev_change_flags+0x4d/0x60 + [<00000000982807e9>] do_setlink+0x28d/0x10a0 + [<0000000058c1be00>] __rtnl_newlink+0x545/0x980 + [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70 + [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390 + [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100 + [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0 + [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0 + [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60 + [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200 + [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0 + +Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct") +Reviewed-by: Ido Schimmel +Signed-off-by: Vlad Buslov +Link: https://lore.kernel.org/r/20230808093521.1468929-1-vladbu@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -385,8 +385,7 @@ static int vlan_device_event(struct noti + dev->name); + vlan_vid_add(dev, htons(ETH_P_8021Q), 0); + } +- if (event == NETDEV_DOWN && +- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) ++ if (event == NETDEV_DOWN) + vlan_vid_del(dev, htons(ETH_P_8021Q), 0); + + vlan_info = rtnl_dereference(dev->vlan_info); diff --git a/queue-5.15/wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch b/queue-5.15/wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch new file mode 100644 index 00000000000..56e6b53db07 --- /dev/null +++ b/queue-5.15/wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch @@ -0,0 +1,33 @@ +From 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 22 Jun 2023 18:59:19 +0200 +Subject: wifi: cfg80211: fix sband iftype data lookup for AP_VLAN + +From: Felix Fietkau + +commit 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 upstream. + +AP_VLAN interfaces are virtual, so doesn't really exist as a type for +capabilities. When passed in as a type, AP is the one that's really intended. + +Fixes: c4cbaf7973a7 ("cfg80211: Add support for HE") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230622165919.46841-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + include/net/cfg80211.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -510,6 +510,9 @@ ieee80211_get_sband_iftype_data(const st + if (WARN_ON(iftype >= NL80211_IFTYPE_MAX)) + return NULL; + ++ if (iftype == NL80211_IFTYPE_AP_VLAN) ++ iftype = NL80211_IFTYPE_AP; ++ + for (i = 0; i < sband->n_iftype_data; i++) { + const struct ieee80211_sband_iftype_data *data = + &sband->iftype_data[i]; diff --git a/queue-5.15/xsk-fix-refcount-underflow-in-error-path.patch b/queue-5.15/xsk-fix-refcount-underflow-in-error-path.patch new file mode 100644 index 00000000000..ee2b9f58abc --- /dev/null +++ b/queue-5.15/xsk-fix-refcount-underflow-in-error-path.patch @@ -0,0 +1,46 @@ +From 85c2c79a07302fe68a1ad5cc449458cc559e314d Mon Sep 17 00:00:00 2001 +From: Magnus Karlsson +Date: Wed, 9 Aug 2023 16:28:43 +0200 +Subject: xsk: fix refcount underflow in error path + +From: Magnus Karlsson + +commit 85c2c79a07302fe68a1ad5cc449458cc559e314d upstream. + +Fix a refcount underflow problem reported by syzbot that can happen +when a system is running out of memory. If xp_alloc_tx_descs() fails, +and it can only fail due to not having enough memory, then the error +path is triggered. In this error path, the refcount of the pool is +decremented as it has incremented before. However, the reference to +the pool in the socket was not nulled. This means that when the socket +is closed later, the socket teardown logic will think that there is a +pool attached to the socket and try to decrease the refcount again, +leading to a refcount underflow. + +I chose this fix as it involved adding just a single line. Another +option would have been to move xp_get_pool() and the assignment of +xs->pool to after the if-statement and using xs_umem->pool instead of +xs->pool in the whole if-statement resulting in somewhat simpler code, +but this would have led to much more churn in the code base perhaps +making it harder to backport. + +Fixes: ba3beec2ec1d ("xsk: Fix possible crash when multiple sockets are created") +Reported-by: syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com +Signed-off-by: Magnus Karlsson +Link: https://lore.kernel.org/r/20230809142843.13944-1-magnus.karlsson@gmail.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Greg Kroah-Hartman +--- + net/xdp/xsk.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -1001,6 +1001,7 @@ static int xsk_bind(struct socket *sock, + err = xp_alloc_tx_descs(xs->pool, xs); + if (err) { + xp_put_pool(xs->pool); ++ xs->pool = NULL; + sockfd_put(sock); + goto out_unlock; + }