From: Sasha Levin Date: Sat, 4 Jan 2025 14:21:15 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v5.4.289~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fca7814734e29df892ecba52c3b3544a945d89e1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch b/queue-5.10/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch new file mode 100644 index 00000000000..3844d226cb1 --- /dev/null +++ b/queue-5.10/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch @@ -0,0 +1,149 @@ +From 0e76e6895463300c884fea2468855df76006087f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 16:10:04 +0000 +Subject: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK + +From: Eric Dumazet + +[ Upstream commit f91a5b8089389eb408501af2762f168c3aaa7b79 ] + +Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found +by syzbot. + +Rework vlan_get_protocol_dgram() to not touch skb at all, +so that it can be used from many cpus on the same skb. + +Add a const qualifier to skb argument. + +[1] +skbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev: +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:206 ! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] + RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 +Code: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 +RSP: 0018:ffffc900038d7638 EFLAGS: 00010282 +RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600 +RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 +RBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60 +R10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140 +R13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011 +FS: 00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + skb_push+0xe5/0x100 net/core/skbuff.c:2636 + vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585 + packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552 + sock_recvmsg_nosec net/socket.c:1033 [inline] + sock_recvmsg+0x22f/0x280 net/socket.c:1055 + ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803 + ___sys_recvmsg net/socket.c:2845 [inline] + do_recvmmsg+0x426/0xab0 net/socket.c:2940 + __sys_recvmmsg net/socket.c:3014 [inline] + __do_sys_recvmmsg net/socket.c:3037 [inline] + __se_sys_recvmmsg net/socket.c:3030 [inline] + __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading") +Reported-by: syzbot+74f70bb1cb968bf09e4f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c5.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Chengen Du +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20241230161004.2681892-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/if_vlan.h | 16 +++++++++++++--- + net/packet/af_packet.c | 16 ++++------------ + 2 files changed, 17 insertions(+), 15 deletions(-) + +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index ce6714bec65f..64cfe7cd292c 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -582,13 +582,16 @@ static inline int vlan_get_tag(const struct sk_buff *skb, u16 *vlan_tci) + * vlan_get_protocol - get protocol EtherType. + * @skb: skbuff to query + * @type: first vlan protocol ++ * @mac_offset: MAC offset + * @depth: buffer to store length of eth and vlan tags in bytes + * + * Returns the EtherType of the packet, regardless of whether it is + * vlan encapsulated (normal or hardware accelerated) or not. + */ +-static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, +- int *depth) ++static inline __be16 __vlan_get_protocol_offset(const struct sk_buff *skb, ++ __be16 type, ++ int mac_offset, ++ int *depth) + { + unsigned int vlan_depth = skb->mac_len, parse_depth = VLAN_MAX_DEPTH; + +@@ -607,7 +610,8 @@ static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, + do { + struct vlan_hdr vhdr, *vh; + +- vh = skb_header_pointer(skb, vlan_depth, sizeof(vhdr), &vhdr); ++ vh = skb_header_pointer(skb, mac_offset + vlan_depth, ++ sizeof(vhdr), &vhdr); + if (unlikely(!vh || !--parse_depth)) + return 0; + +@@ -622,6 +626,12 @@ static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, + return type; + } + ++static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, ++ int *depth) ++{ ++ return __vlan_get_protocol_offset(skb, type, 0, depth); ++} ++ + /** + * vlan_get_protocol - get protocol EtherType. + * @skb: skbuff to query +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 49baa5924d74..2f69cf5270db 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -533,21 +533,13 @@ static u16 vlan_get_tci(const struct sk_buff *skb, struct net_device *dev) + return ntohs(vh->h_vlan_TCI); + } + +-static __be16 vlan_get_protocol_dgram(struct sk_buff *skb) ++static __be16 vlan_get_protocol_dgram(const struct sk_buff *skb) + { + __be16 proto = skb->protocol; + +- if (unlikely(eth_type_vlan(proto))) { +- u8 *skb_orig_data = skb->data; +- int skb_orig_len = skb->len; +- +- skb_push(skb, skb->data - skb_mac_header(skb)); +- proto = __vlan_get_protocol(skb, proto, NULL); +- if (skb_orig_data != skb->data) { +- skb->data = skb_orig_data; +- skb->len = skb_orig_len; +- } +- } ++ if (unlikely(eth_type_vlan(proto))) ++ proto = __vlan_get_protocol_offset(skb, proto, ++ skb_mac_offset(skb), NULL); + + return proto; + } +-- +2.39.5 + diff --git a/queue-5.10/af_packet-fix-vlan_get_tci-vs-msg_peek.patch b/queue-5.10/af_packet-fix-vlan_get_tci-vs-msg_peek.patch new file mode 100644 index 00000000000..abf17a3e444 --- /dev/null +++ b/queue-5.10/af_packet-fix-vlan_get_tci-vs-msg_peek.patch @@ -0,0 +1,102 @@ +From b11aeb156ac942c6a64e791b6d0d2b623c90a811 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 16:10:03 +0000 +Subject: af_packet: fix vlan_get_tci() vs MSG_PEEK + +From: Eric Dumazet + +[ Upstream commit 77ee7a6d16b6ec07b5c3ae2b6b60a24c1afbed09 ] + +Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found +by syzbot. + +Rework vlan_get_tci() to not touch skb at all, +so that it can be used from many cpus on the same skb. + +Add a const qualifier to skb argument. + +[1] +skbuff: skb_under_panic: text:ffffffff8a8da482 len:32 put:14 head:ffff88807a1d5800 data:ffff88807a1d5810 tail:0x14 end:0x140 dev: +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:206 ! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 0 UID: 0 PID: 5880 Comm: syz-executor172 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] + RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 +Code: 0b 8d 48 c7 c6 9e 6c 26 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 3a 5a 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 +RSP: 0018:ffffc90003baf5b8 EFLAGS: 00010286 +RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 8565c1eec37aa000 +RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 +RBP: ffff88802616fb50 R08: ffffffff817f0a4c R09: 1ffff92000775e50 +R10: dffffc0000000000 R11: fffff52000775e51 R12: 0000000000000140 +R13: ffff88807a1d5800 R14: ffff88807a1d5810 R15: 0000000000000014 +FS: 00007fa03261f6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd65753000 CR3: 0000000031720000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + skb_push+0xe5/0x100 net/core/skbuff.c:2636 + vlan_get_tci+0x272/0x550 net/packet/af_packet.c:565 + packet_recvmsg+0x13c9/0x1ef0 net/packet/af_packet.c:3616 + sock_recvmsg_nosec net/socket.c:1044 [inline] + sock_recvmsg+0x22f/0x280 net/socket.c:1066 + ____sys_recvmsg+0x1c6/0x480 net/socket.c:2814 + ___sys_recvmsg net/socket.c:2856 [inline] + do_recvmmsg+0x426/0xab0 net/socket.c:2951 + __sys_recvmmsg net/socket.c:3025 [inline] + __do_sys_recvmmsg net/socket.c:3048 [inline] + __se_sys_recvmmsg net/socket.c:3041 [inline] + __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3041 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + +Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading") +Reported-by: syzbot+8400677f3fd43f37d3bc@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c6.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Chengen Du +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20241230161004.2681892-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 01a191c8194b..49baa5924d74 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -503,10 +503,8 @@ static void *packet_current_frame(struct packet_sock *po, + return packet_lookup_frame(po, rb, rb->head, status); + } + +-static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev) ++static u16 vlan_get_tci(const struct sk_buff *skb, struct net_device *dev) + { +- u8 *skb_orig_data = skb->data; +- int skb_orig_len = skb->len; + struct vlan_hdr vhdr, *vh; + unsigned int header_len; + +@@ -527,12 +525,8 @@ static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev) + else + return 0; + +- skb_push(skb, skb->data - skb_mac_header(skb)); +- vh = skb_header_pointer(skb, header_len, sizeof(vhdr), &vhdr); +- if (skb_orig_data != skb->data) { +- skb->data = skb_orig_data; +- skb->len = skb_orig_len; +- } ++ vh = skb_header_pointer(skb, skb_mac_offset(skb) + header_len, ++ sizeof(vhdr), &vhdr); + if (unlikely(!vh)) + return 0; + +-- +2.39.5 + diff --git a/queue-5.10/alsa-usb-audio-us16x08-initialize-array-before-use.patch b/queue-5.10/alsa-usb-audio-us16x08-initialize-array-before-use.patch new file mode 100644 index 00000000000..8679c66ce4f --- /dev/null +++ b/queue-5.10/alsa-usb-audio-us16x08-initialize-array-before-use.patch @@ -0,0 +1,43 @@ +From 17b431a78a8923d9c0725a239a994b5e1f17115a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Dec 2024 11:32:42 +0530 +Subject: ALSA: usb-audio: US16x08: Initialize array before use + +From: Tanya Agarwal + +[ Upstream commit b06a6187ef983f501e93faa56209169752d3bde3 ] + +Initialize meter_urb array before use in mixer_us16x08.c. + +CID 1410197: (#1 of 1): Uninitialized scalar variable (UNINIT) +uninit_use_in_call: Using uninitialized value *meter_urb when +calling get_meter_levels_from_urb. + +Coverity Link: +https://scan7.scan.coverity.com/#/project-view/52849/11354?selectedIssue=1410197 + +Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk") +Signed-off-by: Tanya Agarwal +Link: https://patch.msgid.link/20241229060240.1642-1-tanyaagarwal25699@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_us16x08.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c +index bd63a9ce6a70..3959bbad0c4f 100644 +--- a/sound/usb/mixer_us16x08.c ++++ b/sound/usb/mixer_us16x08.c +@@ -687,7 +687,7 @@ static int snd_us16x08_meter_get(struct snd_kcontrol *kcontrol, + struct usb_mixer_elem_info *elem = kcontrol->private_data; + struct snd_usb_audio *chip = elem->head.mixer->chip; + struct snd_us16x08_meter_store *store = elem->private_data; +- u8 meter_urb[64]; ++ u8 meter_urb[64] = {0}; + + switch (kcontrol->private_value) { + case 0: { +-- +2.39.5 + diff --git a/queue-5.10/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch b/queue-5.10/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch new file mode 100644 index 00000000000..40c27fda4a1 --- /dev/null +++ b/queue-5.10/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch @@ -0,0 +1,74 @@ +From 0a2f3322800d860bae6766cc2001cf04b9d590ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 08:40:29 +0100 +Subject: drm/bridge: adv7511_audio: Update Audio InfoFrame properly + +From: Stefan Ekenberg + +[ Upstream commit 902806baf3c1e8383c1fe3ff0b6042b8cb5c2707 ] + +AUDIO_UPDATE bit (Bit 5 of MAIN register 0x4A) needs to be set to 1 +while updating Audio InfoFrame information and then set to 0 when done. +Otherwise partially updated Audio InfoFrames could be sent out. Two +cases where this rule were not followed are fixed: + - In adv7511_hdmi_hw_params() make sure AUDIO_UPDATE bit is updated + before/after setting ADV7511_REG_AUDIO_INFOFRAME. + - In audio_startup() use the correct register for clearing + AUDIO_UPDATE bit. + +The problem with corrupted audio infoframes were discovered by letting +a HDMI logic analyser check the output of ADV7535. + +Note that this patchs replaces writing REG_GC(1) with +REG_INFOFRAME_UPDATE. Bit 5 of REG_GC(1) is positioned within field +GC_PP[3:0] and that field doesn't control audio infoframe and is read- +only. My conclusion therefore was that the author if this code meant to +clear bit 5 of REG_INFOFRAME_UPDATE from the very beginning. + +Tested-by: Biju Das +Fixes: 53c515befe28 ("drm/bridge: adv7511: Add Audio support") +Signed-off-by: Stefan Ekenberg +Reviewed-by: Dmitry Baryshkov +Link: https://patchwork.freedesktop.org/patch/msgid/20241119-adv7511-audio-info-frame-v4-1-4ae68e76c89c@axis.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c +index f101dd2819b5..0a1ac11e2e4f 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c +@@ -147,7 +147,16 @@ int adv7511_hdmi_hw_params(struct device *dev, void *data, + ADV7511_AUDIO_CFG3_LEN_MASK, len); + regmap_update_bits(adv7511->regmap, ADV7511_REG_I2C_FREQ_ID_CFG, + ADV7511_I2C_FREQ_ID_CFG_RATE_MASK, rate << 4); +- regmap_write(adv7511->regmap, 0x73, 0x1); ++ ++ /* send current Audio infoframe values while updating */ ++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE, ++ BIT(5), BIT(5)); ++ ++ regmap_write(adv7511->regmap, ADV7511_REG_AUDIO_INFOFRAME(0), 0x1); ++ ++ /* use Audio infoframe updated info */ ++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE, ++ BIT(5), 0); + + return 0; + } +@@ -178,8 +187,9 @@ static int audio_startup(struct device *dev, void *data) + regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(0), + BIT(7) | BIT(6), BIT(7)); + /* use Audio infoframe updated info */ +- regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(1), ++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE, + BIT(5), 0); ++ + /* enable SPDIF receiver */ + if (adv7511->audio_source == ADV7511_AUDIO_SOURCE_SPDIF) + regmap_update_bits(adv7511->regmap, ADV7511_REG_AUDIO_CONFIG, +-- +2.39.5 + diff --git a/queue-5.10/eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch b/queue-5.10/eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch new file mode 100644 index 00000000000..ad9128c323e --- /dev/null +++ b/queue-5.10/eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch @@ -0,0 +1,82 @@ +From ade6a3a28bd13f0e15cdc88d77fbc8f784e8fe83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Dec 2024 15:30:07 +0300 +Subject: eth: bcmsysport: fix call balance of priv->clk handling routines + +From: Vitalii Mordan + +[ Upstream commit b255ef45fcc2141c1bf98456796abb956d843a27 ] + +Check the return value of clk_prepare_enable to ensure that priv->clk has +been successfully enabled. + +If priv->clk was not enabled during bcm_sysport_probe, bcm_sysport_resume, +or bcm_sysport_open, it must not be disabled in any subsequent execution +paths. + +Fixes: 31bc72d97656 ("net: systemport: fetch and use clock resources") +Signed-off-by: Vitalii Mordan +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20241227123007.2333397-1-mordan@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index ae1cf2ead9a9..1c6b7808a100 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1951,7 +1951,11 @@ static int bcm_sysport_open(struct net_device *dev) + unsigned int i; + int ret; + +- clk_prepare_enable(priv->clk); ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) { ++ netdev_err(dev, "could not enable priv clock\n"); ++ return ret; ++ } + + /* Reset UniMAC */ + umac_reset(priv); +@@ -2622,7 +2626,11 @@ static int bcm_sysport_probe(struct platform_device *pdev) + goto err_deregister_notifier; + } + +- clk_prepare_enable(priv->clk); ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) { ++ dev_err(&pdev->dev, "could not enable priv clock\n"); ++ goto err_deregister_netdev; ++ } + + priv->rev = topctrl_readl(priv, REV_CNTL) & REV_MASK; + dev_info(&pdev->dev, +@@ -2636,6 +2644,8 @@ static int bcm_sysport_probe(struct platform_device *pdev) + + return 0; + ++err_deregister_netdev: ++ unregister_netdev(dev); + err_deregister_notifier: + unregister_dsa_notifier(&priv->dsa_notifier); + err_deregister_fixed_link: +@@ -2807,7 +2817,12 @@ static int __maybe_unused bcm_sysport_resume(struct device *d) + if (!netif_running(dev)) + return 0; + +- clk_prepare_enable(priv->clk); ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) { ++ netdev_err(dev, "could not enable priv clock\n"); ++ return ret; ++ } ++ + if (priv->wolopts) + clk_disable_unprepare(priv->wol_clk); + +-- +2.39.5 + diff --git a/queue-5.10/ila-serialize-calls-to-nf_register_net_hooks.patch b/queue-5.10/ila-serialize-calls-to-nf_register_net_hooks.patch new file mode 100644 index 00000000000..ead6d2b808c --- /dev/null +++ b/queue-5.10/ila-serialize-calls-to-nf_register_net_hooks.patch @@ -0,0 +1,113 @@ +From 56dc1fdf836a0425196a2efdd8f32957fabfa475 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 16:28:49 +0000 +Subject: ila: serialize calls to nf_register_net_hooks() + +From: Eric Dumazet + +[ Upstream commit 260466b576bca0081a7d4acecc8e93687aa22d0e ] + +syzbot found a race in ila_add_mapping() [1] + +commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") +attempted to fix a similar issue. + +Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands. + +Add a mutex to make sure at most one thread is calling nf_register_net_hooks(). + +[1] + BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] + BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 +Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501 + +CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xc3/0x620 mm/kasan/report.c:489 + kasan_report+0xd9/0x110 mm/kasan/report.c:602 + rht_key_hashfn include/linux/rhashtable.h:159 [inline] + __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 + rhashtable_lookup include/linux/rhashtable.h:646 [inline] + rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] + ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] + ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] + ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 + nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 + NF_HOOK include/linux/netfilter.h:312 [inline] + ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 + __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 + __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 + process_backlog+0x443/0x15f0 net/core/dev.c:6117 + __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 + napi_poll net/core/dev.c:6952 [inline] + net_rx_action+0xa94/0x1010 net/core/dev.c:7074 + handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 + __do_softirq kernel/softirq.c:595 [inline] + invoke_softirq kernel/softirq.c:435 [inline] + __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] + sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049 + +Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility") +Reported-by: syzbot+47e761d22ecf745f72b9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6772c9ae.050a0220.2f3838.04c7.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Florian Westphal +Cc: Tom Herbert +Link: https://patch.msgid.link/20241230162849.2795486-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ila/ila_xlat.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/ila/ila_xlat.c b/net/ipv6/ila/ila_xlat.c +index 1f7b674b7c58..31ad5ac74ee7 100644 +--- a/net/ipv6/ila/ila_xlat.c ++++ b/net/ipv6/ila/ila_xlat.c +@@ -201,6 +201,8 @@ static const struct nf_hook_ops ila_nf_hook_ops[] = { + }, + }; + ++static DEFINE_MUTEX(ila_mutex); ++ + static int ila_add_mapping(struct net *net, struct ila_xlat_params *xp) + { + struct ila_net *ilan = net_generic(net, ila_net_id); +@@ -208,16 +210,20 @@ static int ila_add_mapping(struct net *net, struct ila_xlat_params *xp) + spinlock_t *lock = ila_get_lock(ilan, xp->ip.locator_match); + int err = 0, order; + +- if (!ilan->xlat.hooks_registered) { ++ if (!READ_ONCE(ilan->xlat.hooks_registered)) { + /* We defer registering net hooks in the namespace until the + * first mapping is added. + */ +- err = nf_register_net_hooks(net, ila_nf_hook_ops, +- ARRAY_SIZE(ila_nf_hook_ops)); ++ mutex_lock(&ila_mutex); ++ if (!ilan->xlat.hooks_registered) { ++ err = nf_register_net_hooks(net, ila_nf_hook_ops, ++ ARRAY_SIZE(ila_nf_hook_ops)); ++ if (!err) ++ WRITE_ONCE(ilan->xlat.hooks_registered, true); ++ } ++ mutex_unlock(&ila_mutex); + if (err) + return err; +- +- ilan->xlat.hooks_registered = true; + } + + ila = kzalloc(sizeof(*ila), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-5.10/net-llc-reset-skb-transport_header.patch b/queue-5.10/net-llc-reset-skb-transport_header.patch new file mode 100644 index 00000000000..960d5d95bb2 --- /dev/null +++ b/queue-5.10/net-llc-reset-skb-transport_header.patch @@ -0,0 +1,62 @@ +From 3bbfe2f211d5187c69ad62a15511a3b4275ef837 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Dec 2024 20:07:20 -0500 +Subject: net: llc: reset skb->transport_header + +From: Antonio Pastor + +[ Upstream commit a024e377efed31ecfb39210bed562932321345b3 ] + +802.2+LLC+SNAP frames received by napi_complete_done with GRO and DSA +have skb->transport_header set two bytes short, or pointing 2 bytes +before network_header & skb->data. As snap_rcv expects transport_header +to point to SNAP header (OID:PID) after LLC processing advances offset +over LLC header (llc_rcv & llc_fixup_skb), code doesn't find a match +and packet is dropped. + +Between napi_complete_done and snap_rcv, transport_header is not used +until __netif_receive_skb_core, where originally it was being reset. +Commit fda55eca5a33 ("net: introduce skb_transport_header_was_set()") +only does so if not set, on the assumption the value was set correctly +by GRO (and also on assumption that "network stacks usually reset the +transport header anyway"). Afterwards it is moved forward by +llc_fixup_skb. + +Locally generated traffic shows up at __netif_receive_skb_core with no +transport_header set and is processed without issue. On a setup with +GRO but no DSA, transport_header and network_header are both set to +point to skb->data which is also correct. + +As issue is LLC specific, to avoid impacting non-LLC traffic, and to +follow up on original assumption made on previous code change, +llc_fixup_skb to reset the offset after skb pull. llc_fixup_skb +assumes the LLC header is at skb->data, and by definition SNAP header +immediately follows. + +Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()") +Signed-off-by: Antonio Pastor +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241225010723.2830290-1-antonio.pastor@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index 51bccfb00a9c..61b0159b2fbe 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -124,8 +124,8 @@ static inline int llc_fixup_skb(struct sk_buff *skb) + if (unlikely(!pskb_may_pull(skb, llc_len))) + return 0; + +- skb->transport_header += llc_len; + skb_pull(skb, llc_len); ++ skb_reset_transport_header(skb); + if (skb->protocol == htons(ETH_P_802_2)) { + __be16 pdulen; + s32 data_size; +-- +2.39.5 + diff --git a/queue-5.10/net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch b/queue-5.10/net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch new file mode 100644 index 00000000000..fb0828e604a --- /dev/null +++ b/queue-5.10/net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch @@ -0,0 +1,37 @@ +From 584443e294603b69318be0dc26b648204daf1c23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2020 15:03:36 -0800 +Subject: net/mlx5: Make API mlx5_core_is_ecpf accept const pointer + +From: Parav Pandit + +[ Upstream commit 3b1e58aa832ed537289be6a51a2015309688a90c ] + +Subsequent patch implements helper API which has mlx5_core_dev +as const pointer, make its caller API too const *. + +Signed-off-by: Parav Pandit +Reviewed-by: Bodong Wang +Signed-off-by: Saeed Mahameed +Stable-dep-of: e05feab22fd7 ("RDMA/mlx5: Enforce same type port association for multiport RoCE") +Signed-off-by: Sasha Levin +--- + include/linux/mlx5/driver.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 2cd89af4dbf6..30d7716675b4 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -1142,7 +1142,7 @@ static inline bool mlx5_core_is_vf(const struct mlx5_core_dev *dev) + return dev->coredev_type == MLX5_COREDEV_VF; + } + +-static inline bool mlx5_core_is_ecpf(struct mlx5_core_dev *dev) ++static inline bool mlx5_core_is_ecpf(const struct mlx5_core_dev *dev) + { + return dev->caps.embedded_cpu; + } +-- +2.39.5 + diff --git a/queue-5.10/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch b/queue-5.10/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch new file mode 100644 index 00000000000..ba270c4eecb --- /dev/null +++ b/queue-5.10/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch @@ -0,0 +1,96 @@ +From e022a983442f60205fcc5d9fbd78e32c5c411e13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Dec 2024 00:29:20 +0100 +Subject: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext + +From: Pablo Neira Ayuso + +[ Upstream commit 542ed8145e6f9392e3d0a86a0e9027d2ffd183e4 ] + +Access to genmask field in struct nft_set_ext results in unaligned +atomic read: + +[ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c +[ 72.131036] Mem abort info: +[ 72.131213] ESR = 0x0000000096000021 +[ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits +[ 72.132209] SET = 0, FnV = 0 +[ 72.133216] EA = 0, S1PTW = 0 +[ 72.134080] FSC = 0x21: alignment fault +[ 72.135593] Data abort info: +[ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 +[ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000 +[ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403, ++pte=0068000102bb7707 +[ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP +[...] +[ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2 +[ 72.170509] Tainted: [E]=UNSIGNED_MODULE +[ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023 +[ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] +[ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) +[ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables] +[ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables] +[ 72.172546] sp : ffff800081f2bce0 +[ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038 +[ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78 +[ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78 +[ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000 +[ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978 +[ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0 +[ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000 +[ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000 +[ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000 +[ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004 +[ 72.176207] Call trace: +[ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P) +[ 72.176653] process_one_work+0x178/0x3d0 +[ 72.176831] worker_thread+0x200/0x3f0 +[ 72.176995] kthread+0xe8/0xf8 +[ 72.177130] ret_from_fork+0x10/0x20 +[ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f) +[ 72.177557] ---[ end trace 0000000000000000 ]--- + +Align struct nft_set_ext to word size to address this and +documentation it. + +pahole reports that this increases the size of elements for rhash and +pipapo in 8 bytes on x86_64. + +Fixes: 7ffc7481153b ("netfilter: nft_set_hash: skip duplicated elements pending gc run") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 484f9cdf2dd0..31edeafeda77 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -609,15 +609,18 @@ struct nft_set_ext_tmpl { + /** + * struct nft_set_ext - set extensions + * +- * @genmask: generation mask ++ * @genmask: generation mask, but also flags (see NFT_SET_ELEM_DEAD_BIT) + * @offset: offsets of individual extension types + * @data: beginning of extension data ++ * ++ * This structure must be aligned to word size, otherwise atomic bitops ++ * on genmask field can cause alignment failure on some archs. + */ + struct nft_set_ext { + u8 genmask; + u8 offset[NFT_SET_EXT_NUM]; + char data[]; +-}; ++} __aligned(BITS_PER_LONG / 8); + + static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl) + { +-- +2.39.5 + diff --git a/queue-5.10/netrom-check-buffer-length-before-accessing-it.patch b/queue-5.10/netrom-check-buffer-length-before-accessing-it.patch new file mode 100644 index 00000000000..0888c0c3794 --- /dev/null +++ b/queue-5.10/netrom-check-buffer-length-before-accessing-it.patch @@ -0,0 +1,105 @@ +From be049cbe5de406ec1cca91dd1d687f2b60dd4b01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2024 08:23:07 +0000 +Subject: netrom: check buffer length before accessing it + +From: Ilya Shchipletsov + +[ Upstream commit a4fd163aed2edd967a244499754dec991d8b4c7d ] + +Syzkaller reports an uninit value read from ax25cmp when sending raw message +through ieee802154 implementation. + +===================================================== +BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 + ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 + nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601 + nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774 + nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144 + __netdev_start_xmit include/linux/netdevice.h:4940 [inline] + netdev_start_xmit include/linux/netdevice.h:4954 [inline] + xmit_one net/core/dev.c:3548 [inline] + dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 + __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 + dev_queue_xmit include/linux/netdevice.h:3134 [inline] + raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299 + ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 + __sys_sendmsg net/socket.c:2667 [inline] + __do_sys_sendmsg net/socket.c:2676 [inline] + __se_sys_sendmsg net/socket.c:2674 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: + slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 + slab_alloc_node mm/slub.c:3478 [inline] + kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 + __alloc_skb+0x318/0x740 net/core/skbuff.c:651 + alloc_skb include/linux/skbuff.h:1286 [inline] + alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 + sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 + sock_alloc_send_skb include/net/sock.h:1884 [inline] + raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282 + ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 + __sys_sendmsg net/socket.c:2667 [inline] + __do_sys_sendmsg net/socket.c:2676 [inline] + __se_sys_sendmsg net/socket.c:2674 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 +===================================================== + +This issue occurs because the skb buffer is too small, and it's actual +allocation is aligned. This hides an actual issue, which is that nr_route_frame +does not validate the buffer size before using it. + +Fix this issue by checking skb->len before accessing any fields in skb->data. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Nikita Marushkin +Signed-off-by: Nikita Marushkin +Signed-off-by: Ilya Shchipletsov +Link: https://patch.msgid.link/20241219082308.3942-1-rabbelkin@mail.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netrom/nr_route.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index 9269b5e69b9a..8e15a0c96614 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -751,6 +751,12 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) + int ret; + struct sk_buff *skbn; + ++ /* ++ * Reject malformed packets early. Check that it contains at least 2 ++ * addresses and 1 byte more for Time-To-Live ++ */ ++ if (skb->len < 2 * sizeof(ax25_address) + 1) ++ return 0; + + nr_src = (ax25_address *)(skb->data + 0); + nr_dest = (ax25_address *)(skb->data + 7); +-- +2.39.5 + diff --git a/queue-5.10/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch b/queue-5.10/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch new file mode 100644 index 00000000000..3975ff27d8f --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch @@ -0,0 +1,64 @@ +From a0dbd3462999c223166d1c7bb895966e2e97bcdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 14:09:28 +0530 +Subject: RDMA/bnxt_re: Add check for path mtu in modify_qp + +From: Saravanan Vajravel + +[ Upstream commit 798653a0ee30d3cd495099282751c0f248614ae7 ] + +When RDMA app configures path MTU, add a check in modify_qp verb +to make sure that it doesn't go beyond interface MTU. If this +check fails, driver will fail the modify_qp verb. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Reviewed-by: Kalesh AP +Signed-off-by: Saravanan Vajravel +Signed-off-by: Selvin Xavier +Link: https://patch.msgid.link/20241211083931.968831-3-kalesh-anakkur.purayil@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 26 +++++++++++++----------- + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 9ffd28ab526a..ea03da8056af 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -1938,18 +1938,20 @@ int bnxt_re_modify_qp(struct ib_qp *ib_qp, struct ib_qp_attr *qp_attr, + } + } + +- if (qp_attr_mask & IB_QP_PATH_MTU) { +- qp->qplib_qp.modify_flags |= +- CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU; +- qp->qplib_qp.path_mtu = __from_ib_mtu(qp_attr->path_mtu); +- qp->qplib_qp.mtu = ib_mtu_enum_to_int(qp_attr->path_mtu); +- } else if (qp_attr->qp_state == IB_QPS_RTR) { +- qp->qplib_qp.modify_flags |= +- CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU; +- qp->qplib_qp.path_mtu = +- __from_ib_mtu(iboe_get_mtu(rdev->netdev->mtu)); +- qp->qplib_qp.mtu = +- ib_mtu_enum_to_int(iboe_get_mtu(rdev->netdev->mtu)); ++ if (qp_attr->qp_state == IB_QPS_RTR) { ++ enum ib_mtu qpmtu; ++ ++ qpmtu = iboe_get_mtu(rdev->netdev->mtu); ++ if (qp_attr_mask & IB_QP_PATH_MTU) { ++ if (ib_mtu_enum_to_int(qp_attr->path_mtu) > ++ ib_mtu_enum_to_int(qpmtu)) ++ return -EINVAL; ++ qpmtu = qp_attr->path_mtu; ++ } ++ ++ qp->qplib_qp.modify_flags |= CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU; ++ qp->qplib_qp.path_mtu = __from_ib_mtu(qpmtu); ++ qp->qplib_qp.mtu = ib_mtu_enum_to_int(qpmtu); + } + + if (qp_attr_mask & IB_QP_TIMEOUT) { +-- +2.39.5 + diff --git a/queue-5.10/rdma-bnxt_re-fix-max_qp_wrs-reported.patch b/queue-5.10/rdma-bnxt_re-fix-max_qp_wrs-reported.patch new file mode 100644 index 00000000000..82e4b4f9688 --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-fix-max_qp_wrs-reported.patch @@ -0,0 +1,40 @@ +From cfd08b0d61c0557812a07bfb2dd96171fd1cd8ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Nov 2020 05:13:06 -0800 +Subject: RDMA/bnxt_re: Fix max_qp_wrs reported + +From: Selvin Xavier + +[ Upstream commit c63e1c4dfc33d1bdae395ee8fbcbfad4830b12c0 ] + +While creating qps, the driver adds one extra entry to the sq size passed +by the ULPs in order to avoid queue full condition. When ULPs creates QPs +with max_qp_wr reported, driver creates QP with 1 more than the max_wqes +supported by HW. Create QP fails in this case. To avoid this error, reduce +1 entry in max_qp_wqes and report it to the stack. + +Link: https://lore.kernel.org/r/1606741986-16477-1-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Devesh Sharma +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +index f53d94c812ec..f9ceb19dc993 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -118,7 +118,7 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw, + * 128 WQEs needs to be reserved for the HW (8916). Prevent + * reporting the max number + */ +- attr->max_qp_wqes -= BNXT_QPLIB_RESERVED_QP_WRS; ++ attr->max_qp_wqes -= BNXT_QPLIB_RESERVED_QP_WRS + 1; + attr->max_qp_sges = bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx) ? + 6 : sb->max_sge; + attr->max_cq = le32_to_cpu(sb->max_cq); +-- +2.39.5 + diff --git a/queue-5.10/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch b/queue-5.10/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch new file mode 100644 index 00000000000..b72315dd945 --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch @@ -0,0 +1,41 @@ +From 8f04682e21bb989ad8fed8bccc87949838072809 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 14:09:31 +0530 +Subject: RDMA/bnxt_re: Fix reporting hw_ver in query_device + +From: Kalesh AP + +[ Upstream commit 7179fe0074a3c962e43a9e51169304c4911989ed ] + +Driver currently populates subsystem_device id in the +"hw_ver" field of ib_attr structure in query_device. + +Updated to populate PCI revision ID. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Reviewed-by: Preethi G +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Link: https://patch.msgid.link/20241211083931.968831-6-kalesh-anakkur.purayil@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index ea03da8056af..089d7de829a0 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -137,7 +137,7 @@ int bnxt_re_query_device(struct ib_device *ibdev, + + ib_attr->vendor_id = rdev->en_dev->pdev->vendor; + ib_attr->vendor_part_id = rdev->en_dev->pdev->device; +- ib_attr->hw_ver = rdev->en_dev->pdev->subsystem_device; ++ ib_attr->hw_ver = rdev->en_dev->pdev->revision; + ib_attr->max_qp = dev_attr->max_qp; + ib_attr->max_qp_wr = dev_attr->max_qp_wqes; + ib_attr->device_cap_flags = +-- +2.39.5 + diff --git a/queue-5.10/rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch b/queue-5.10/rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch new file mode 100644 index 00000000000..5bfb0ebf766 --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch @@ -0,0 +1,43 @@ +From c0b045f06789b12491a14a2231015bbb0549543b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 15:56:49 +0530 +Subject: RDMA/bnxt_re: Fix the locking while accessing the QP table + +From: Selvin Xavier + +[ Upstream commit 9272cba0ded71b5a2084da3004ec7806b8cb7fd2 ] + +QP table handling is synchronized with destroy QP and Async +event from the HW. The same needs to be synchronized +during create_qp also. Use the same lock in create_qp also. + +Fixes: 76d3ddff7153 ("RDMA/bnxt_re: synchronize the qp-handle table array") +Fixes: f218d67ef004 ("RDMA/bnxt_re: Allow posting when QPs are in error") +Fixes: 84cf229f4001 ("RDMA/bnxt_re: Fix the qp table indexing") +Signed-off-by: Selvin Xavier +Link: https://patch.msgid.link/20241217102649.1377704-6-kalesh-anakkur.purayil@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 5f79371a1386..4ed78d25b6e9 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -1126,9 +1126,11 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) + rq->dbinfo.db = qp->dpi->dbr; + rq->dbinfo.max_slot = bnxt_qplib_set_rq_max_slot(rq->wqe_size); + } ++ spin_lock_bh(&rcfw->tbl_lock); + tbl_indx = map_qp_id_to_tbl_indx(qp->id, rcfw); + rcfw->qp_tbl[tbl_indx].qp_id = qp->id; + rcfw->qp_tbl[tbl_indx].qp_handle = (void *)qp; ++ spin_unlock_bh(&rcfw->tbl_lock); + + return 0; + fail: +-- +2.39.5 + diff --git a/queue-5.10/rdma-mlx5-enforce-same-type-port-association-for-mul.patch b/queue-5.10/rdma-mlx5-enforce-same-type-port-association-for-mul.patch new file mode 100644 index 00000000000..72f4f235f34 --- /dev/null +++ b/queue-5.10/rdma-mlx5-enforce-same-type-port-association-for-mul.patch @@ -0,0 +1,69 @@ +From 693213fdbc77bf655b7b465e1a38e79c9448eb5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 15:45:37 +0200 +Subject: RDMA/mlx5: Enforce same type port association for multiport RoCE + +From: Patrisious Haddad + +[ Upstream commit e05feab22fd7dabcd6d272c4e2401ec1acdfdb9b ] + +Different core device types such as PFs and VFs shouldn't be affiliated +together since they have different capabilities, fix that by enforcing +type check before doing the affiliation. + +Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE") +Reviewed-by: Mark Bloch +Signed-off-by: Patrisious Haddad +Link: https://patch.msgid.link/88699500f690dff1c1852c1ddb71f8a1cc8b956e.1733233480.git.leonro@nvidia.com +Reviewed-by: Mateusz Polchlopek +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 6 ++++-- + include/linux/mlx5/driver.h | 6 ++++++ + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index d36436d4277a..1800cea46b2d 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -3565,7 +3565,8 @@ static int mlx5_ib_init_multiport_master(struct mlx5_ib_dev *dev) + list_for_each_entry(mpi, &mlx5_ib_unaffiliated_port_list, + list) { + if (dev->sys_image_guid == mpi->sys_image_guid && +- (mlx5_core_native_port_num(mpi->mdev) - 1) == i) { ++ (mlx5_core_native_port_num(mpi->mdev) - 1) == i && ++ mlx5_core_same_coredev_type(dev->mdev, mpi->mdev)) { + bound = mlx5_ib_bind_slave_port(dev, mpi); + } + +@@ -4766,7 +4767,8 @@ static void *mlx5_ib_add_slave_port(struct mlx5_core_dev *mdev) + + mutex_lock(&mlx5_ib_multiport_mutex); + list_for_each_entry(dev, &mlx5_ib_dev_list, ib_dev_list) { +- if (dev->sys_image_guid == mpi->sys_image_guid) ++ if (dev->sys_image_guid == mpi->sys_image_guid && ++ mlx5_core_same_coredev_type(dev->mdev, mpi->mdev)) + bound = mlx5_ib_bind_slave_port(dev, mpi); + + if (bound) { +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 30d7716675b4..68a12caf5eb1 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -1142,6 +1142,12 @@ static inline bool mlx5_core_is_vf(const struct mlx5_core_dev *dev) + return dev->coredev_type == MLX5_COREDEV_VF; + } + ++static inline bool mlx5_core_same_coredev_type(const struct mlx5_core_dev *dev1, ++ const struct mlx5_core_dev *dev2) ++{ ++ return dev1->coredev_type == dev2->coredev_type; ++} ++ + static inline bool mlx5_core_is_ecpf(const struct mlx5_core_dev *dev) + { + return dev->caps.embedded_cpu; +-- +2.39.5 + diff --git a/queue-5.10/rdma-rtrs-ensure-ib_sge-list-is-accessible.patch b/queue-5.10/rdma-rtrs-ensure-ib_sge-list-is-accessible.patch new file mode 100644 index 00000000000..5f4297a95d9 --- /dev/null +++ b/queue-5.10/rdma-rtrs-ensure-ib_sge-list-is-accessible.patch @@ -0,0 +1,71 @@ +From 53054b95e956464c7b9c4f099ddfe783c87319c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Dec 2024 09:34:16 +0800 +Subject: RDMA/rtrs: Ensure 'ib_sge list' is accessible + +From: Li Zhijian + +[ Upstream commit fb514b31395946022f13a08e06a435f53cf9e8b3 ] + +Move the declaration of the 'ib_sge list' variable outside the +'always_invalidate' block to ensure it remains accessible for use +throughout the function. + +Previously, 'ib_sge list' was declared within the 'always_invalidate' +block, limiting its accessibility, then caused a +'BUG: kernel NULL pointer dereference'[1]. + ? __die_body.cold+0x19/0x27 + ? page_fault_oops+0x15a/0x2d0 + ? search_module_extables+0x19/0x60 + ? search_bpf_extables+0x5f/0x80 + ? exc_page_fault+0x7e/0x180 + ? asm_exc_page_fault+0x26/0x30 + ? memcpy_orig+0xd5/0x140 + rxe_mr_copy+0x1c3/0x200 [rdma_rxe] + ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe] + copy_data+0xa5/0x230 [rdma_rxe] + rxe_requester+0xd9b/0xf70 [rdma_rxe] + ? finish_task_switch.isra.0+0x99/0x2e0 + rxe_sender+0x13/0x40 [rdma_rxe] + do_task+0x68/0x1e0 [rdma_rxe] + process_one_work+0x177/0x330 + worker_thread+0x252/0x390 + ? __pfx_worker_thread+0x10/0x10 + +This change ensures the variable is available for subsequent operations +that require it. + +[1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/ + +Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality") +Signed-off-by: Li Zhijian +Link: https://patch.msgid.link/20241231013416.1290920-1-lizhijian@fujitsu.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +index b152a742cd3c..2b315974f478 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +@@ -381,6 +381,7 @@ static int send_io_resp_imm(struct rtrs_srv_con *con, struct rtrs_srv_op *id, + struct rtrs_srv_mr *srv_mr; + bool need_inval = false; + enum ib_send_flags flags; ++ struct ib_sge list; + u32 imm; + int err; + +@@ -431,7 +432,6 @@ static int send_io_resp_imm(struct rtrs_srv_con *con, struct rtrs_srv_op *id, + imm = rtrs_to_io_rsp_imm(id->msg_id, errno, need_inval); + imm_wr.wr.next = NULL; + if (always_invalidate) { +- struct ib_sge list; + struct rtrs_msg_rkey_rsp *msg; + + srv_mr = &sess->mrs[id->msg_id]; +-- +2.39.5 + diff --git a/queue-5.10/series b/queue-5.10/series index d10bf037de4..2a28c20c804 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -96,3 +96,19 @@ block-remove-the-update_bdev-parameter-to-set_capaci.patch zram-use-set_capacity_and_notify.patch drivers-block-zram-zram_drv.c-do-not-keep-dangling-z.patch zram-fix-uninitialized-zram-not-releasing-backing-de.patch +net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch +rdma-mlx5-enforce-same-type-port-association-for-mul.patch +rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch +rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch +rdma-bnxt_re-fix-max_qp_wrs-reported.patch +rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch +drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch +netrom-check-buffer-length-before-accessing-it.patch +netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch +net-llc-reset-skb-transport_header.patch +alsa-usb-audio-us16x08-initialize-array-before-use.patch +eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch +rdma-rtrs-ensure-ib_sge-list-is-accessible.patch +af_packet-fix-vlan_get_tci-vs-msg_peek.patch +af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch +ila-serialize-calls-to-nf_register_net_hooks.patch