From: Sasha Levin Date: Sun, 13 Oct 2024 02:48:12 +0000 (-0400) Subject: Fixes for 6.6 X-Git-Tag: v5.10.227~67 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ff0e4198204970bc404ebcef543257bca427c2a5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/bluetooth-rfcomm-fix-possible-deadlock-in-rfcomm_sk_.patch b/queue-6.6/bluetooth-rfcomm-fix-possible-deadlock-in-rfcomm_sk_.patch new file mode 100644 index 00000000000..9614735c102 --- /dev/null +++ b/queue-6.6/bluetooth-rfcomm-fix-possible-deadlock-in-rfcomm_sk_.patch @@ -0,0 +1,51 @@ +From 5fb3a1d5d03129de359e83269825cbe8cdec3e4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 13:26:21 -0400 +Subject: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change + +From: Luiz Augusto von Dentz + +[ Upstream commit 08d1914293dae38350b8088980e59fbc699a72fe ] + +rfcomm_sk_state_change attempts to use sock_lock so it must never be +called with it locked but rfcomm_sock_ioctl always attempt to lock it +causing the following trace: + +====================================================== +WARNING: possible circular locking dependency detected +6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted +------------------------------------------------------ +syz-executor386/5093 is trying to acquire lock: +ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline] +ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73 + +but task is already holding lock: +ffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491 + +Reported-by: syzbot+d7ce59b06b3eb14fd218@syzkaller.appspotmail.com +Tested-by: syzbot+d7ce59b06b3eb14fd218@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d7ce59b06b3eb14fd218 +Fixes: 3241ad820dbb ("[Bluetooth] Add timestamp support to L2CAP, RFCOMM and SCO") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/rfcomm/sock.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index 29aa07e9db9d7..cbff37b327340 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -865,9 +865,7 @@ static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned lon + + if (err == -ENOIOCTLCMD) { + #ifdef CONFIG_BT_RFCOMM_TTY +- lock_sock(sk); + err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg); +- release_sock(sk); + #else + err = -EOPNOTSUPP; + #endif +-- +2.43.0 + diff --git a/queue-6.6/bridge-handle-error-of-rtnl_register_module.patch b/queue-6.6/bridge-handle-error-of-rtnl_register_module.patch new file mode 100644 index 00000000000..b59244b7933 --- /dev/null +++ b/queue-6.6/bridge-handle-error-of-rtnl_register_module.patch @@ -0,0 +1,116 @@ +From 1db24ab721cc1d942286e129d8abb8ac551483cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 11:47:34 -0700 +Subject: bridge: Handle error of rtnl_register_module(). + +From: Kuniyuki Iwashima + +[ Upstream commit cba5e43b0b757734b1e79f624d93a71435e31136 ] + +Since introduced, br_vlan_rtnl_init() has been ignoring the returned +value of rtnl_register_module(), which could fail silently. + +Handling the error allows users to view a module as an all-or-nothing +thing in terms of the rtnetlink functionality. This prevents syzkaller +from reporting spurious errors from its tests, where OOM often occurs +and module is automatically loaded. + +Let's handle the errors by rtnl_register_many(). + +Fixes: 8dcea187088b ("net: bridge: vlan: add rtm definitions and dump support") +Fixes: f26b296585dc ("net: bridge: vlan: add new rtm message support") +Fixes: adb3ce9bcb0f ("net: bridge: vlan: add del rtm message support") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Nikolay Aleksandrov +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_netlink.c | 6 +++++- + net/bridge/br_private.h | 5 +++-- + net/bridge/br_vlan.c | 19 +++++++++---------- + 3 files changed, 17 insertions(+), 13 deletions(-) + +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c +index 4488faf059a36..4b80ec5ae5700 100644 +--- a/net/bridge/br_netlink.c ++++ b/net/bridge/br_netlink.c +@@ -1905,7 +1905,10 @@ int __init br_netlink_init(void) + { + int err; + +- br_vlan_rtnl_init(); ++ err = br_vlan_rtnl_init(); ++ if (err) ++ goto out; ++ + rtnl_af_register(&br_af_ops); + + err = rtnl_link_register(&br_link_ops); +@@ -1916,6 +1919,7 @@ int __init br_netlink_init(void) + + out_af: + rtnl_af_unregister(&br_af_ops); ++out: + return err; + } + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index e4f1a08322da9..72d80fd943a8a 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1547,7 +1547,7 @@ void br_vlan_get_stats(const struct net_bridge_vlan *v, + void br_vlan_port_event(struct net_bridge_port *p, unsigned long event); + int br_vlan_bridge_event(struct net_device *dev, unsigned long event, + void *ptr); +-void br_vlan_rtnl_init(void); ++int br_vlan_rtnl_init(void); + void br_vlan_rtnl_uninit(void); + void br_vlan_notify(const struct net_bridge *br, + const struct net_bridge_port *p, +@@ -1778,8 +1778,9 @@ static inline int br_vlan_bridge_event(struct net_device *dev, + return 0; + } + +-static inline void br_vlan_rtnl_init(void) ++static inline int br_vlan_rtnl_init(void) + { ++ return 0; + } + + static inline void br_vlan_rtnl_uninit(void) +diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c +index 15f44d026e75a..be714b4d7b430 100644 +--- a/net/bridge/br_vlan.c ++++ b/net/bridge/br_vlan.c +@@ -2296,19 +2296,18 @@ static int br_vlan_rtm_process(struct sk_buff *skb, struct nlmsghdr *nlh, + return err; + } + +-void br_vlan_rtnl_init(void) ++static const struct rtnl_msg_handler br_vlan_rtnl_msg_handlers[] = { ++ {THIS_MODULE, PF_BRIDGE, RTM_NEWVLAN, br_vlan_rtm_process, NULL, 0}, ++ {THIS_MODULE, PF_BRIDGE, RTM_DELVLAN, br_vlan_rtm_process, NULL, 0}, ++ {THIS_MODULE, PF_BRIDGE, RTM_GETVLAN, NULL, br_vlan_rtm_dump, 0}, ++}; ++ ++int br_vlan_rtnl_init(void) + { +- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_GETVLAN, NULL, +- br_vlan_rtm_dump, 0); +- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_NEWVLAN, +- br_vlan_rtm_process, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_DELVLAN, +- br_vlan_rtm_process, NULL, 0); ++ return rtnl_register_many(br_vlan_rtnl_msg_handlers); + } + + void br_vlan_rtnl_uninit(void) + { +- rtnl_unregister(PF_BRIDGE, RTM_GETVLAN); +- rtnl_unregister(PF_BRIDGE, RTM_NEWVLAN); +- rtnl_unregister(PF_BRIDGE, RTM_DELVLAN); ++ rtnl_unregister_many(br_vlan_rtnl_msg_handlers); + } +-- +2.43.0 + diff --git a/queue-6.6/btrfs-zoned-fix-missing-rcu-locking-in-error-message.patch b/queue-6.6/btrfs-zoned-fix-missing-rcu-locking-in-error-message.patch new file mode 100644 index 00000000000..68b34df0ca2 --- /dev/null +++ b/queue-6.6/btrfs-zoned-fix-missing-rcu-locking-in-error-message.patch @@ -0,0 +1,50 @@ +From 1fe5515952c38c75cd17cd1b556a9b426311fc86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 15:02:56 +0100 +Subject: btrfs: zoned: fix missing RCU locking in error message when loading + zone info + +From: Filipe Manana + +[ Upstream commit fe4cd7ed128fe82ab9fe4f9fc8a73d4467699787 ] + +At btrfs_load_zone_info() we have an error path that is dereferencing +the name of a device which is a RCU string but we are not holding a RCU +read lock, which is incorrect. + +Fix this by using btrfs_err_in_rcu() instead of btrfs_err(). + +The problem is there since commit 08e11a3db098 ("btrfs: zoned: load zone's +allocation offset"), back then at btrfs_load_block_group_zone_info() but +then later on that code was factored out into the helper +btrfs_load_zone_info() by commit 09a46725cc84 ("btrfs: zoned: factor out +per-zone logic from btrfs_load_block_group_zone_info"). + +Fixes: 08e11a3db098 ("btrfs: zoned: load zone's allocation offset") +Reviewed-by: Johannes Thumshirn +Reviewed-by: Qu Wenruo +Reviewed-by: Naohiro Aota +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/zoned.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/zoned.c b/fs/btrfs/zoned.c +index 2784f6cb44822..c4463c3f2068d 100644 +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -1357,7 +1357,7 @@ static int btrfs_load_zone_info(struct btrfs_fs_info *fs_info, int zone_idx, + switch (zone.cond) { + case BLK_ZONE_COND_OFFLINE: + case BLK_ZONE_COND_READONLY: +- btrfs_err(fs_info, ++ btrfs_err_in_rcu(fs_info, + "zoned: offline/readonly zone %llu on device %s (devid %llu)", + (info->physical >> device->zone_info->zone_size_shift), + rcu_str_deref(device->name), device->devid); +-- +2.43.0 + diff --git a/queue-6.6/drm-nouveau-pass-cli-to-nouveau_channel_new-instead-.patch b/queue-6.6/drm-nouveau-pass-cli-to-nouveau_channel_new-instead-.patch new file mode 100644 index 00000000000..34c15563969 --- /dev/null +++ b/queue-6.6/drm-nouveau-pass-cli-to-nouveau_channel_new-instead-.patch @@ -0,0 +1,198 @@ +From 4415c31adeac67b5509ac627b29d6f388e9c7eab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 14:38:22 +1000 +Subject: drm/nouveau: pass cli to nouveau_channel_new() instead of drm+device + +From: Ben Skeggs + +[ Upstream commit 5cca41ac70e5877383ed925bd017884c37edf09b ] + +Both of these are stored in nouveau_cli already, and also allows the +removal of some void casts. + +Signed-off-by: Ben Skeggs +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20240726043828.58966-32-bskeggs@nvidia.com +Stable-dep-of: 04e0481526e3 ("nouveau/dmem: Fix privileged error in copy engine channel") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/dispnv04/crtc.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_abi16.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_bo.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_chan.c | 21 +++++++++++---------- + drivers/gpu/drm/nouveau/nouveau_chan.h | 3 ++- + drivers/gpu/drm/nouveau/nouveau_drm.c | 4 ++-- + 6 files changed, 18 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/dispnv04/crtc.c b/drivers/gpu/drm/nouveau/dispnv04/crtc.c +index a34917b048f96..8c7fff19c97bb 100644 +--- a/drivers/gpu/drm/nouveau/dispnv04/crtc.c ++++ b/drivers/gpu/drm/nouveau/dispnv04/crtc.c +@@ -1157,7 +1157,7 @@ nv04_crtc_page_flip(struct drm_crtc *crtc, struct drm_framebuffer *fb, + chan = drm->channel; + if (!chan) + return -ENODEV; +- cli = (void *)chan->user.client; ++ cli = chan->cli; + push = chan->chan.push; + + s = kzalloc(sizeof(*s), GFP_KERNEL); +diff --git a/drivers/gpu/drm/nouveau/nouveau_abi16.c b/drivers/gpu/drm/nouveau/nouveau_abi16.c +index 74b16e3913856..2e177ebab3039 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_abi16.c ++++ b/drivers/gpu/drm/nouveau/nouveau_abi16.c +@@ -351,7 +351,7 @@ nouveau_abi16_ioctl_channel_alloc(ABI16_IOCTL_ARGS) + list_add(&chan->head, &abi16->channels); + + /* create channel object and initialise dma and fence management */ +- ret = nouveau_channel_new(drm, device, false, runm, init->fb_ctxdma_handle, ++ ret = nouveau_channel_new(cli, false, runm, init->fb_ctxdma_handle, + init->tt_ctxdma_handle, &chan->chan); + if (ret) + goto done; +diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c +index 3a7f4ce34aa31..5d398a422459e 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_bo.c ++++ b/drivers/gpu/drm/nouveau/nouveau_bo.c +@@ -843,7 +843,7 @@ nouveau_bo_move_m2mf(struct ttm_buffer_object *bo, int evict, + { + struct nouveau_drm *drm = nouveau_bdev(bo->bdev); + struct nouveau_channel *chan = drm->ttm.chan; +- struct nouveau_cli *cli = (void *)chan->user.client; ++ struct nouveau_cli *cli = chan->cli; + struct nouveau_fence *fence; + int ret; + +diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c +index 7c97b28868076..cee36b1efd391 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_chan.c ++++ b/drivers/gpu/drm/nouveau/nouveau_chan.c +@@ -52,7 +52,7 @@ static int + nouveau_channel_killed(struct nvif_event *event, void *repv, u32 repc) + { + struct nouveau_channel *chan = container_of(event, typeof(*chan), kill); +- struct nouveau_cli *cli = (void *)chan->user.client; ++ struct nouveau_cli *cli = chan->cli; + + NV_PRINTK(warn, cli, "channel %d killed!\n", chan->chid); + +@@ -66,7 +66,7 @@ int + nouveau_channel_idle(struct nouveau_channel *chan) + { + if (likely(chan && chan->fence && !atomic_read(&chan->killed))) { +- struct nouveau_cli *cli = (void *)chan->user.client; ++ struct nouveau_cli *cli = chan->cli; + struct nouveau_fence *fence = NULL; + int ret; + +@@ -142,10 +142,11 @@ nouveau_channel_wait(struct nvif_push *push, u32 size) + } + + static int +-nouveau_channel_prep(struct nouveau_drm *drm, struct nvif_device *device, ++nouveau_channel_prep(struct nouveau_cli *cli, + u32 size, struct nouveau_channel **pchan) + { +- struct nouveau_cli *cli = (void *)device->object.client; ++ struct nouveau_drm *drm = cli->drm; ++ struct nvif_device *device = &cli->device; + struct nv_dma_v0 args = {}; + struct nouveau_channel *chan; + u32 target; +@@ -155,6 +156,7 @@ nouveau_channel_prep(struct nouveau_drm *drm, struct nvif_device *device, + if (!chan) + return -ENOMEM; + ++ chan->cli = cli; + chan->device = device; + chan->drm = drm; + chan->vmm = nouveau_cli_vmm(cli); +@@ -254,7 +256,7 @@ nouveau_channel_prep(struct nouveau_drm *drm, struct nvif_device *device, + } + + static int +-nouveau_channel_ctor(struct nouveau_drm *drm, struct nvif_device *device, bool priv, u64 runm, ++nouveau_channel_ctor(struct nouveau_cli *cli, bool priv, u64 runm, + struct nouveau_channel **pchan) + { + const struct nvif_mclass hosts[] = { +@@ -279,7 +281,7 @@ nouveau_channel_ctor(struct nouveau_drm *drm, struct nvif_device *device, bool p + struct nvif_chan_v0 chan; + char name[TASK_COMM_LEN+16]; + } args; +- struct nouveau_cli *cli = (void *)device->object.client; ++ struct nvif_device *device = &cli->device; + struct nouveau_channel *chan; + const u64 plength = 0x10000; + const u64 ioffset = plength; +@@ -298,7 +300,7 @@ nouveau_channel_ctor(struct nouveau_drm *drm, struct nvif_device *device, bool p + size = ioffset + ilength; + + /* allocate dma push buffer */ +- ret = nouveau_channel_prep(drm, device, size, &chan); ++ ret = nouveau_channel_prep(cli, size, &chan); + *pchan = chan; + if (ret) + return ret; +@@ -493,13 +495,12 @@ nouveau_channel_init(struct nouveau_channel *chan, u32 vram, u32 gart) + } + + int +-nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device, ++nouveau_channel_new(struct nouveau_cli *cli, + bool priv, u64 runm, u32 vram, u32 gart, struct nouveau_channel **pchan) + { +- struct nouveau_cli *cli = (void *)device->object.client; + int ret; + +- ret = nouveau_channel_ctor(drm, device, priv, runm, pchan); ++ ret = nouveau_channel_ctor(cli, priv, runm, pchan); + if (ret) { + NV_PRINTK(dbg, cli, "channel create, %d\n", ret); + return ret; +diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.h b/drivers/gpu/drm/nouveau/nouveau_chan.h +index 5de2ef4e98c2b..260febd634ee2 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_chan.h ++++ b/drivers/gpu/drm/nouveau/nouveau_chan.h +@@ -12,6 +12,7 @@ struct nouveau_channel { + struct nvif_push *push; + } chan; + ++ struct nouveau_cli *cli; + struct nvif_device *device; + struct nouveau_drm *drm; + struct nouveau_vmm *vmm; +@@ -62,7 +63,7 @@ struct nouveau_channel { + int nouveau_channels_init(struct nouveau_drm *); + void nouveau_channels_fini(struct nouveau_drm *); + +-int nouveau_channel_new(struct nouveau_drm *, struct nvif_device *, bool priv, u64 runm, ++int nouveau_channel_new(struct nouveau_cli *, bool priv, u64 runm, + u32 vram, u32 gart, struct nouveau_channel **); + void nouveau_channel_del(struct nouveau_channel **); + int nouveau_channel_idle(struct nouveau_channel *); +diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c +index 75545da9d1e91..c39284dc7d73b 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -343,7 +343,7 @@ nouveau_accel_ce_init(struct nouveau_drm *drm) + return; + } + +- ret = nouveau_channel_new(drm, device, false, runm, NvDmaFB, NvDmaTT, &drm->cechan); ++ ret = nouveau_channel_new(&drm->client, false, runm, NvDmaFB, NvDmaTT, &drm->cechan); + if (ret) + NV_ERROR(drm, "failed to create ce channel, %d\n", ret); + } +@@ -371,7 +371,7 @@ nouveau_accel_gr_init(struct nouveau_drm *drm) + return; + } + +- ret = nouveau_channel_new(drm, device, false, runm, NvDmaFB, NvDmaTT, &drm->channel); ++ ret = nouveau_channel_new(&drm->client, false, runm, NvDmaFB, NvDmaTT, &drm->channel); + if (ret) { + NV_ERROR(drm, "failed to create kernel channel, %d\n", ret); + nouveau_accel_gr_fini(drm); +-- +2.43.0 + diff --git a/queue-6.6/e1000e-change-i219-19-devices-to-adp.patch b/queue-6.6/e1000e-change-i219-19-devices-to-adp.patch new file mode 100644 index 00000000000..565c8de04da --- /dev/null +++ b/queue-6.6/e1000e-change-i219-19-devices-to-adp.patch @@ -0,0 +1,62 @@ +From 929d26c20d506fe675b17ddd31946a20203ef98b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Sep 2024 09:49:17 +0300 +Subject: e1000e: change I219 (19) devices to ADP + +From: Vitaly Lifshits + +[ Upstream commit 9d9e5347b035412daa844f884b94a05bac94f864 ] + +Sporadic issues, such as PHY access loss, have been observed on I219 (19) +devices. It was found that these devices have hardware more closely +related to ADP than MTP and the issues were caused by taking MTP-specific +flows. + +Change the MAC and board types of these devices from MTP to ADP to +correctly reflect the LAN hardware, and flows, of these devices. + +Fixes: db2d737d63c5 ("e1000e: Separate MTP board type from ADP") +Signed-off-by: Vitaly Lifshits +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/hw.h | 4 ++-- + drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/hw.h b/drivers/net/ethernet/intel/e1000e/hw.h +index 4b6e7536170ab..fc8ed38aa0955 100644 +--- a/drivers/net/ethernet/intel/e1000e/hw.h ++++ b/drivers/net/ethernet/intel/e1000e/hw.h +@@ -108,8 +108,8 @@ struct e1000_hw; + #define E1000_DEV_ID_PCH_RPL_I219_V22 0x0DC8 + #define E1000_DEV_ID_PCH_MTP_I219_LM18 0x550A + #define E1000_DEV_ID_PCH_MTP_I219_V18 0x550B +-#define E1000_DEV_ID_PCH_MTP_I219_LM19 0x550C +-#define E1000_DEV_ID_PCH_MTP_I219_V19 0x550D ++#define E1000_DEV_ID_PCH_ADP_I219_LM19 0x550C ++#define E1000_DEV_ID_PCH_ADP_I219_V19 0x550D + #define E1000_DEV_ID_PCH_LNP_I219_LM20 0x550E + #define E1000_DEV_ID_PCH_LNP_I219_V20 0x550F + #define E1000_DEV_ID_PCH_LNP_I219_LM21 0x5510 +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 06d109063c8d8..721c098f2bb1b 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -7899,10 +7899,10 @@ static const struct pci_device_id e1000_pci_tbl[] = { + { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ADP_I219_V17), board_pch_adp }, + { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_RPL_I219_LM22), board_pch_adp }, + { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_RPL_I219_V22), board_pch_adp }, ++ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ADP_I219_LM19), board_pch_adp }, ++ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ADP_I219_V19), board_pch_adp }, + { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_MTP_I219_LM18), board_pch_mtp }, + { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_MTP_I219_V18), board_pch_mtp }, +- { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_MTP_I219_LM19), board_pch_mtp }, +- { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_MTP_I219_V19), board_pch_mtp }, + { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_LNP_I219_LM20), board_pch_mtp }, + { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_LNP_I219_V20), board_pch_mtp }, + { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_LNP_I219_LM21), board_pch_mtp }, +-- +2.43.0 + diff --git a/queue-6.6/gpio-aspeed-add-the-flush-write-to-ensure-the-write-.patch b/queue-6.6/gpio-aspeed-add-the-flush-write-to-ensure-the-write-.patch new file mode 100644 index 00000000000..4d4f6d889aa --- /dev/null +++ b/queue-6.6/gpio-aspeed-add-the-flush-write-to-ensure-the-write-.patch @@ -0,0 +1,44 @@ +From 12eeb2ad4fb6da58165bca8c8fb6245f4e15f39f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 16:14:44 +0800 +Subject: gpio: aspeed: Add the flush write to ensure the write complete. + +From: Billy Tsai + +[ Upstream commit 1bb5a99e1f3fd27accb804aa0443a789161f843c ] + +Performing a dummy read ensures that the register write operation is fully +completed, mitigating any potential bus delays that could otherwise impact +the frequency of bitbang usage. E.g., if the JTAG application uses GPIO to +control the JTAG pins (TCK, TMS, TDI, TDO, and TRST), and the application +sets the TCK clock to 1 MHz, the GPIO's high/low transitions will rely on +a delay function to ensure the clock frequency does not exceed 1 MHz. +However, this can lead to rapid toggling of the GPIO because the write +operation is POSTed and does not wait for a bus acknowledgment. + +Fixes: 361b79119a4b ("gpio: Add Aspeed driver") +Reviewed-by: Andrew Jeffery +Signed-off-by: Billy Tsai +Link: https://lore.kernel.org/r/20241008081450.1490955-2-billy_tsai@aspeedtech.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-aspeed.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c +index 58f107194fdaf..017f083bc8c29 100644 +--- a/drivers/gpio/gpio-aspeed.c ++++ b/drivers/gpio/gpio-aspeed.c +@@ -406,6 +406,8 @@ static void __aspeed_gpio_set(struct gpio_chip *gc, unsigned int offset, + gpio->dcache[GPIO_BANK(offset)] = reg; + + iowrite32(reg, addr); ++ /* Flush write */ ++ ioread32(addr); + } + + static void aspeed_gpio_set(struct gpio_chip *gc, unsigned int offset, +-- +2.43.0 + diff --git a/queue-6.6/gpio-aspeed-use-devm_clk-api-to-manage-clock-source.patch b/queue-6.6/gpio-aspeed-use-devm_clk-api-to-manage-clock-source.patch new file mode 100644 index 00000000000..f9523ebdbed --- /dev/null +++ b/queue-6.6/gpio-aspeed-use-devm_clk-api-to-manage-clock-source.patch @@ -0,0 +1,37 @@ +From 671dc33b9ea26805781117dc191458f37585c68f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 16:14:45 +0800 +Subject: gpio: aspeed: Use devm_clk api to manage clock source + +From: Billy Tsai + +[ Upstream commit a6191a3d18119184237f4ee600039081ad992320 ] + +Replace of_clk_get with devm_clk_get_enabled to manage the clock source. + +Fixes: 5ae4cb94b313 ("gpio: aspeed: Add debounce support") +Reviewed-by: Andrew Jeffery +Signed-off-by: Billy Tsai +Link: https://lore.kernel.org/r/20241008081450.1490955-3-billy_tsai@aspeedtech.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-aspeed.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c +index 017f083bc8c29..76468e6a2899a 100644 +--- a/drivers/gpio/gpio-aspeed.c ++++ b/drivers/gpio/gpio-aspeed.c +@@ -1193,7 +1193,7 @@ static int __init aspeed_gpio_probe(struct platform_device *pdev) + if (!gpio_id) + return -EINVAL; + +- gpio->clk = of_clk_get(pdev->dev.of_node, 0); ++ gpio->clk = devm_clk_get_enabled(&pdev->dev, NULL); + if (IS_ERR(gpio->clk)) { + dev_warn(&pdev->dev, + "Failed to get clock from devicetree, debouncing disabled\n"); +-- +2.43.0 + diff --git a/queue-6.6/i40e-fix-macvlan-leak-by-synchronizing-access-to-mac.patch b/queue-6.6/i40e-fix-macvlan-leak-by-synchronizing-access-to-mac.patch new file mode 100644 index 00000000000..12dfcfba067 --- /dev/null +++ b/queue-6.6/i40e-fix-macvlan-leak-by-synchronizing-access-to-mac.patch @@ -0,0 +1,73 @@ +From 028835289914dc80a4240f8ae0e4b86ab94e96be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2024 11:12:19 +0200 +Subject: i40e: Fix macvlan leak by synchronizing access to mac_filter_hash + +From: Aleksandr Loktionov + +[ Upstream commit dac6c7b3d33756d6ce09f00a96ea2ecd79fae9fb ] + +This patch addresses a macvlan leak issue in the i40e driver caused by +concurrent access to vsi->mac_filter_hash. The leak occurs when multiple +threads attempt to modify the mac_filter_hash simultaneously, leading to +inconsistent state and potential memory leaks. + +To fix this, we now wrap the calls to i40e_del_mac_filter() and zeroing +vf->default_lan_addr.addr with spin_lock/unlock_bh(&vsi->mac_filter_hash_lock), +ensuring atomic operations and preventing concurrent access. + +Additionally, we add lockdep_assert_held(&vsi->mac_filter_hash_lock) in +i40e_add_mac_filter() to help catch similar issues in the future. + +Reproduction steps: +1. Spawn VFs and configure port vlan on them. +2. Trigger concurrent macvlan operations (e.g., adding and deleting + portvlan and/or mac filters). +3. Observe the potential memory leak and inconsistent state in the + mac_filter_hash. + +This synchronization ensures the integrity of the mac_filter_hash and prevents +the described leak. + +Fixes: fed0d9f13266 ("i40e: Fix VF's MAC Address change on VM") +Reviewed-by: Arkadiusz Kubalewski +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 1d241ebd04ec7..80472aa1deba4 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -1744,6 +1744,7 @@ struct i40e_mac_filter *i40e_add_mac_filter(struct i40e_vsi *vsi, + struct hlist_node *h; + int bkt; + ++ lockdep_assert_held(&vsi->mac_filter_hash_lock); + if (vsi->info.pvid) + return i40e_add_filter(vsi, macaddr, + le16_to_cpu(vsi->info.pvid)); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 7d47a05274548..d5509bc16d0d5 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -2219,8 +2219,10 @@ static int i40e_vc_get_vf_resources_msg(struct i40e_vf *vf, u8 *msg) + vfres->vsi_res[0].qset_handle + = le16_to_cpu(vsi->info.qs_handle[0]); + if (!(vf->driver_caps & VIRTCHNL_VF_OFFLOAD_USO) && !vf->pf_set_mac) { ++ spin_lock_bh(&vsi->mac_filter_hash_lock); + i40e_del_mac_filter(vsi, vf->default_lan_addr.addr); + eth_zero_addr(vf->default_lan_addr.addr); ++ spin_unlock_bh(&vsi->mac_filter_hash_lock); + } + ether_addr_copy(vfres->vsi_res[0].default_mac_addr, + vf->default_lan_addr.addr); +-- +2.43.0 + diff --git a/queue-6.6/ice-fix-netif_is_ice-in-safe-mode.patch b/queue-6.6/ice-fix-netif_is_ice-in-safe-mode.patch new file mode 100644 index 00000000000..c8ac11ab794 --- /dev/null +++ b/queue-6.6/ice-fix-netif_is_ice-in-safe-mode.patch @@ -0,0 +1,43 @@ +From 7d86199c06cb6000776acee64a6dd15f3855681c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 12:04:24 +0200 +Subject: ice: Fix netif_is_ice() in Safe Mode + +From: Marcin Szycik + +[ Upstream commit 8e60dbcbaaa177dacef55a61501790e201bf8c88 ] + +netif_is_ice() works by checking the pointer to netdev ops. However, it +only checks for the default ice_netdev_ops, not ice_netdev_safe_mode_ops, +so in Safe Mode it always returns false, which is unintuitive. While it +doesn't look like netif_is_ice() is currently being called anywhere in Safe +Mode, this could change and potentially lead to unexpected behaviour. + +Fixes: df006dd4b1dc ("ice: Add initial support framework for LAG") +Reviewed-by: Przemek Kitszel +Signed-off-by: Marcin Szycik +Reviewed-by: Brett Creeley +Tested-by: Sujai Buvaneswaran +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 4d3a9fc79a6c1..511064ab3fe3b 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -84,7 +84,8 @@ ice_indr_setup_tc_cb(struct net_device *netdev, struct Qdisc *sch, + + bool netif_is_ice(const struct net_device *dev) + { +- return dev && (dev->netdev_ops == &ice_netdev_ops); ++ return dev && (dev->netdev_ops == &ice_netdev_ops || ++ dev->netdev_ops == &ice_netdev_safe_mode_ops); + } + + /** +-- +2.43.0 + diff --git a/queue-6.6/ice-fix-vlan-replay-after-reset.patch b/queue-6.6/ice-fix-vlan-replay-after-reset.patch new file mode 100644 index 00000000000..14cf6f9d370 --- /dev/null +++ b/queue-6.6/ice-fix-vlan-replay-after-reset.patch @@ -0,0 +1,56 @@ +From c2bd3912ff9efc4fefb47c4b20fc1937d204e2a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 14:02:56 -0400 +Subject: ice: fix VLAN replay after reset + +From: Dave Ertman + +[ Upstream commit 0eae2c136cb624e4050092feb59f18159b4f2512 ] + +There is a bug currently when there are more than one VLAN defined +and any reset that affects the PF is initiated, after the reset rebuild +no traffic will pass on any VLAN but the last one created. + +This is caused by the iteration though the VLANs during replay each +clearing the vsi_map bitmap of the VSI that is being replayed. The +problem is that during rhe replay, the pointer to the vsi_map bitmap +is used by each successive vlan to determine if it should be replayed +on this VSI. + +The logic was that the replay of the VLAN would replace the bit in the map +before the next VLAN would iterate through. But, since the replay copies +the old bitmap pointer to filt_replay_rules and creates a new one for the +recreated VLANS, it does not do this, and leaves the old bitmap broken +to be used to replay the remaining VLANs. + +Since the old bitmap will be cleaned up in post replay cleanup, there is +no need to alter it and break following VLAN replay, so don't clear the +bit. + +Fixes: 334cb0626de1 ("ice: Implement VSI replay framework") +Reviewed-by: Przemek Kitszel +Signed-off-by: Dave Ertman +Reviewed-by: Jacob Keller +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_switch.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_switch.c b/drivers/net/ethernet/intel/ice/ice_switch.c +index 355716e6bcc82..19f730a68fa21 100644 +--- a/drivers/net/ethernet/intel/ice/ice_switch.c ++++ b/drivers/net/ethernet/intel/ice/ice_switch.c +@@ -6326,8 +6326,6 @@ ice_replay_vsi_fltr(struct ice_hw *hw, u16 vsi_handle, u8 recp_id, + if (!itr->vsi_list_info || + !test_bit(vsi_handle, itr->vsi_list_info->vsi_map)) + continue; +- /* Clearing it so that the logic can add it back */ +- clear_bit(vsi_handle, itr->vsi_list_info->vsi_map); + f_entry.fltr_info.vsi_handle = vsi_handle; + f_entry.fltr_info.fltr_act = ICE_FWD_TO_VSI; + /* update the src in case it is VSI num */ +-- +2.43.0 + diff --git a/queue-6.6/ice-flush-fdb-entries-before-reset.patch b/queue-6.6/ice-flush-fdb-entries-before-reset.patch new file mode 100644 index 00000000000..440a6b9dbff --- /dev/null +++ b/queue-6.6/ice-flush-fdb-entries-before-reset.patch @@ -0,0 +1,114 @@ +From 245343faff4d956caca863f239e5120620486b82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 14:38:01 +0200 +Subject: ice: Flush FDB entries before reset + +From: Wojciech Drewek + +[ Upstream commit fbcb968a98ac0b71f5a2bda2751d7a32d201f90d ] + +Triggering the reset while in switchdev mode causes +errors[1]. Rules are already removed by this time +because switch content is flushed in case of the reset. +This means that rules were deleted from HW but SW +still thinks they exist so when we get +SWITCHDEV_FDB_DEL_TO_DEVICE notification we try to +delete not existing rule. + +We can avoid these errors by clearing the rules +early in the reset flow before they are removed from HW. +Switchdev API will get notified that the rule was removed +so we won't get SWITCHDEV_FDB_DEL_TO_DEVICE notification. +Remove unnecessary ice_clear_sw_switch_recipes. + +[1] +ice 0000:01:00.0: Failed to delete FDB forward rule, err: -2 +ice 0000:01:00.0: Failed to delete FDB guard rule, err: -2 + +Fixes: 7c945a1a8e5f ("ice: Switchdev FDB events support") +Reviewed-by: Mateusz Polchlopek +Signed-off-by: Wojciech Drewek +Tested-by: Sujai Buvaneswaran +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/ice/ice_eswitch_br.c | 5 +++- + .../net/ethernet/intel/ice/ice_eswitch_br.h | 1 + + drivers/net/ethernet/intel/ice/ice_main.c | 24 +++---------------- + 3 files changed, 8 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch_br.c b/drivers/net/ethernet/intel/ice/ice_eswitch_br.c +index 8944f01e7a0b0..4750198d0c0ca 100644 +--- a/drivers/net/ethernet/intel/ice/ice_eswitch_br.c ++++ b/drivers/net/ethernet/intel/ice/ice_eswitch_br.c +@@ -582,10 +582,13 @@ ice_eswitch_br_switchdev_event(struct notifier_block *nb, + return NOTIFY_DONE; + } + +-static void ice_eswitch_br_fdb_flush(struct ice_esw_br *bridge) ++void ice_eswitch_br_fdb_flush(struct ice_esw_br *bridge) + { + struct ice_esw_br_fdb_entry *entry, *tmp; + ++ if (!bridge) ++ return; ++ + list_for_each_entry_safe(entry, tmp, &bridge->fdb_list, list) + ice_eswitch_br_fdb_entry_notify_and_cleanup(bridge, entry); + } +diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch_br.h b/drivers/net/ethernet/intel/ice/ice_eswitch_br.h +index 85a8fadb2928e..3920e50611914 100644 +--- a/drivers/net/ethernet/intel/ice/ice_eswitch_br.h ++++ b/drivers/net/ethernet/intel/ice/ice_eswitch_br.h +@@ -116,5 +116,6 @@ void + ice_eswitch_br_offloads_deinit(struct ice_pf *pf); + int + ice_eswitch_br_offloads_init(struct ice_pf *pf); ++void ice_eswitch_br_fdb_flush(struct ice_esw_br *bridge); + + #endif /* _ICE_ESWITCH_BR_H_ */ +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 511064ab3fe3b..9f12c9a0fe296 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -518,25 +518,6 @@ static void ice_pf_dis_all_vsi(struct ice_pf *pf, bool locked) + pf->vf_agg_node[node].num_vsis = 0; + } + +-/** +- * ice_clear_sw_switch_recipes - clear switch recipes +- * @pf: board private structure +- * +- * Mark switch recipes as not created in sw structures. There are cases where +- * rules (especially advanced rules) need to be restored, either re-read from +- * hardware or added again. For example after the reset. 'recp_created' flag +- * prevents from doing that and need to be cleared upfront. +- */ +-static void ice_clear_sw_switch_recipes(struct ice_pf *pf) +-{ +- struct ice_sw_recipe *recp; +- u8 i; +- +- recp = pf->hw.switch_info->recp_list; +- for (i = 0; i < ICE_MAX_NUM_RECIPES; i++) +- recp[i].recp_created = false; +-} +- + /** + * ice_prepare_for_reset - prep for reset + * @pf: board private structure +@@ -573,8 +554,9 @@ ice_prepare_for_reset(struct ice_pf *pf, enum ice_reset_req reset_type) + mutex_unlock(&pf->vfs.table_lock); + + if (ice_is_eswitch_mode_switchdev(pf)) { +- if (reset_type != ICE_RESET_PFR) +- ice_clear_sw_switch_recipes(pf); ++ rtnl_lock(); ++ ice_eswitch_br_fdb_flush(pf->eswitch.br_offloads->bridge); ++ rtnl_unlock(); + } + + /* release ADQ specific HW and SW resources */ +-- +2.43.0 + diff --git a/queue-6.6/ice-rename-switchdev-to-eswitch.patch b/queue-6.6/ice-rename-switchdev-to-eswitch.patch new file mode 100644 index 00000000000..f94f62baac2 --- /dev/null +++ b/queue-6.6/ice-rename-switchdev-to-eswitch.patch @@ -0,0 +1,355 @@ +From b821cd127d0f92092f4bc1b8add338f865d71ab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 13:09:15 +0200 +Subject: ice: rename switchdev to eswitch + +From: Michal Swiatkowski + +[ Upstream commit 5a841e4eb8ed2fea91025b19af8a9ba544f63323 ] + +Eswitch is used as a prefix for related functions. Main structure +storing all data related to eswitch should also be named as eswitch +instead of ice_switchdev_info. Rename it. + +Also rename switchdev to eswitch where the context is not about eswitch +mode. + +::uplink_netdev was changed to netdev for simplicity. There is no other +netdev in function scope so it is obvious. + +Reviewed-by: Wojciech Drewek +Reviewed-by: Piotr Raczynski +Reviewed-by: Jacob Keller +Signed-off-by: Michal Swiatkowski +Signed-off-by: Tony Nguyen +Stable-dep-of: fbcb968a98ac ("ice: Flush FDB entries before reset") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice.h | 6 +- + drivers/net/ethernet/intel/ice/ice_eswitch.c | 63 ++++++++++--------- + .../net/ethernet/intel/ice/ice_eswitch_br.c | 12 ++-- + drivers/net/ethernet/intel/ice/ice_tc_lib.c | 4 +- + 4 files changed, 43 insertions(+), 42 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h +index 7b3ce30ba38fa..f943964ec05ae 100644 +--- a/drivers/net/ethernet/intel/ice/ice.h ++++ b/drivers/net/ethernet/intel/ice/ice.h +@@ -518,7 +518,7 @@ enum ice_misc_thread_tasks { + ICE_MISC_THREAD_NBITS /* must be last */ + }; + +-struct ice_switchdev_info { ++struct ice_eswitch { + struct ice_vsi *control_vsi; + struct ice_vsi *uplink_vsi; + struct ice_esw_br_offloads *br_offloads; +@@ -631,7 +631,7 @@ struct ice_pf { + struct ice_link_default_override_tlv link_dflt_override; + struct ice_lag *lag; /* Link Aggregation information */ + +- struct ice_switchdev_info switchdev; ++ struct ice_eswitch eswitch; + struct ice_esw_br_port *br_port; + + #define ICE_INVALID_AGG_NODE_ID 0 +@@ -838,7 +838,7 @@ static inline struct ice_vsi *ice_find_vsi(struct ice_pf *pf, u16 vsi_num) + */ + static inline bool ice_is_switchdev_running(struct ice_pf *pf) + { +- return pf->switchdev.is_running; ++ return pf->eswitch.is_running; + } + + #define ICE_FD_STAT_CTR_BLOCK_COUNT 256 +diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch.c b/drivers/net/ethernet/intel/ice/ice_eswitch.c +index a655d499abfa8..e7f1e53314d76 100644 +--- a/drivers/net/ethernet/intel/ice/ice_eswitch.c ++++ b/drivers/net/ethernet/intel/ice/ice_eswitch.c +@@ -16,12 +16,12 @@ + * @vf: pointer to VF struct + * + * This function adds advanced rule that forwards packets with +- * VF's VSI index to the corresponding switchdev ctrl VSI queue. ++ * VF's VSI index to the corresponding eswitch ctrl VSI queue. + */ + static int + ice_eswitch_add_vf_sp_rule(struct ice_pf *pf, struct ice_vf *vf) + { +- struct ice_vsi *ctrl_vsi = pf->switchdev.control_vsi; ++ struct ice_vsi *ctrl_vsi = pf->eswitch.control_vsi; + struct ice_adv_rule_info rule_info = { 0 }; + struct ice_adv_lkup_elem *list; + struct ice_hw *hw = &pf->hw; +@@ -59,7 +59,7 @@ ice_eswitch_add_vf_sp_rule(struct ice_pf *pf, struct ice_vf *vf) + * @vf: pointer to the VF struct + * + * Delete the advanced rule that was used to forward packets with the VF's VSI +- * index to the corresponding switchdev ctrl VSI queue. ++ * index to the corresponding eswitch ctrl VSI queue. + */ + static void ice_eswitch_del_vf_sp_rule(struct ice_vf *vf) + { +@@ -70,7 +70,7 @@ static void ice_eswitch_del_vf_sp_rule(struct ice_vf *vf) + } + + /** +- * ice_eswitch_setup_env - configure switchdev HW filters ++ * ice_eswitch_setup_env - configure eswitch HW filters + * @pf: pointer to PF struct + * + * This function adds HW filters configuration specific for switchdev +@@ -78,18 +78,18 @@ static void ice_eswitch_del_vf_sp_rule(struct ice_vf *vf) + */ + static int ice_eswitch_setup_env(struct ice_pf *pf) + { +- struct ice_vsi *uplink_vsi = pf->switchdev.uplink_vsi; +- struct net_device *uplink_netdev = uplink_vsi->netdev; +- struct ice_vsi *ctrl_vsi = pf->switchdev.control_vsi; ++ struct ice_vsi *uplink_vsi = pf->eswitch.uplink_vsi; ++ struct ice_vsi *ctrl_vsi = pf->eswitch.control_vsi; ++ struct net_device *netdev = uplink_vsi->netdev; + struct ice_vsi_vlan_ops *vlan_ops; + bool rule_added = false; + + ice_remove_vsi_fltr(&pf->hw, uplink_vsi->idx); + +- netif_addr_lock_bh(uplink_netdev); +- __dev_uc_unsync(uplink_netdev, NULL); +- __dev_mc_unsync(uplink_netdev, NULL); +- netif_addr_unlock_bh(uplink_netdev); ++ netif_addr_lock_bh(netdev); ++ __dev_uc_unsync(netdev, NULL); ++ __dev_mc_unsync(netdev, NULL); ++ netif_addr_unlock_bh(netdev); + + if (ice_vsi_add_vlan_zero(uplink_vsi)) + goto err_def_rx; +@@ -132,10 +132,10 @@ static int ice_eswitch_setup_env(struct ice_pf *pf) + } + + /** +- * ice_eswitch_remap_rings_to_vectors - reconfigure rings of switchdev ctrl VSI ++ * ice_eswitch_remap_rings_to_vectors - reconfigure rings of eswitch ctrl VSI + * @pf: pointer to PF struct + * +- * In switchdev number of allocated Tx/Rx rings is equal. ++ * In eswitch number of allocated Tx/Rx rings is equal. + * + * This function fills q_vectors structures associated with representor and + * move each ring pairs to port representor netdevs. Each port representor +@@ -144,7 +144,7 @@ static int ice_eswitch_setup_env(struct ice_pf *pf) + */ + static void ice_eswitch_remap_rings_to_vectors(struct ice_pf *pf) + { +- struct ice_vsi *vsi = pf->switchdev.control_vsi; ++ struct ice_vsi *vsi = pf->eswitch.control_vsi; + int q_id; + + ice_for_each_txq(vsi, q_id) { +@@ -189,7 +189,7 @@ static void ice_eswitch_remap_rings_to_vectors(struct ice_pf *pf) + /** + * ice_eswitch_release_reprs - clear PR VSIs configuration + * @pf: poiner to PF struct +- * @ctrl_vsi: pointer to switchdev control VSI ++ * @ctrl_vsi: pointer to eswitch control VSI + */ + static void + ice_eswitch_release_reprs(struct ice_pf *pf, struct ice_vsi *ctrl_vsi) +@@ -223,7 +223,7 @@ ice_eswitch_release_reprs(struct ice_pf *pf, struct ice_vsi *ctrl_vsi) + */ + static int ice_eswitch_setup_reprs(struct ice_pf *pf) + { +- struct ice_vsi *ctrl_vsi = pf->switchdev.control_vsi; ++ struct ice_vsi *ctrl_vsi = pf->eswitch.control_vsi; + int max_vsi_num = 0; + struct ice_vf *vf; + unsigned int bkt; +@@ -359,7 +359,7 @@ ice_eswitch_port_start_xmit(struct sk_buff *skb, struct net_device *netdev) + } + + /** +- * ice_eswitch_set_target_vsi - set switchdev context in Tx context descriptor ++ * ice_eswitch_set_target_vsi - set eswitch context in Tx context descriptor + * @skb: pointer to send buffer + * @off: pointer to offload struct + */ +@@ -382,7 +382,7 @@ ice_eswitch_set_target_vsi(struct sk_buff *skb, + } + + /** +- * ice_eswitch_release_env - clear switchdev HW filters ++ * ice_eswitch_release_env - clear eswitch HW filters + * @pf: pointer to PF struct + * + * This function removes HW filters configuration specific for switchdev +@@ -390,8 +390,8 @@ ice_eswitch_set_target_vsi(struct sk_buff *skb, + */ + static void ice_eswitch_release_env(struct ice_pf *pf) + { +- struct ice_vsi *uplink_vsi = pf->switchdev.uplink_vsi; +- struct ice_vsi *ctrl_vsi = pf->switchdev.control_vsi; ++ struct ice_vsi *uplink_vsi = pf->eswitch.uplink_vsi; ++ struct ice_vsi *ctrl_vsi = pf->eswitch.control_vsi; + struct ice_vsi_vlan_ops *vlan_ops; + + vlan_ops = ice_get_compat_vsi_vlan_ops(uplink_vsi); +@@ -407,7 +407,7 @@ static void ice_eswitch_release_env(struct ice_pf *pf) + } + + /** +- * ice_eswitch_vsi_setup - configure switchdev control VSI ++ * ice_eswitch_vsi_setup - configure eswitch control VSI + * @pf: pointer to PF structure + * @pi: pointer to port_info structure + */ +@@ -486,12 +486,12 @@ static int ice_eswitch_enable_switchdev(struct ice_pf *pf) + return -EINVAL; + } + +- pf->switchdev.control_vsi = ice_eswitch_vsi_setup(pf, pf->hw.port_info); +- if (!pf->switchdev.control_vsi) ++ pf->eswitch.control_vsi = ice_eswitch_vsi_setup(pf, pf->hw.port_info); ++ if (!pf->eswitch.control_vsi) + return -ENODEV; + +- ctrl_vsi = pf->switchdev.control_vsi; +- pf->switchdev.uplink_vsi = uplink_vsi; ++ ctrl_vsi = pf->eswitch.control_vsi; ++ pf->eswitch.uplink_vsi = uplink_vsi; + + if (ice_eswitch_setup_env(pf)) + goto err_vsi; +@@ -526,12 +526,12 @@ static int ice_eswitch_enable_switchdev(struct ice_pf *pf) + } + + /** +- * ice_eswitch_disable_switchdev - disable switchdev resources ++ * ice_eswitch_disable_switchdev - disable eswitch resources + * @pf: pointer to PF structure + */ + static void ice_eswitch_disable_switchdev(struct ice_pf *pf) + { +- struct ice_vsi *ctrl_vsi = pf->switchdev.control_vsi; ++ struct ice_vsi *ctrl_vsi = pf->eswitch.control_vsi; + + ice_eswitch_napi_disable(pf); + ice_eswitch_br_offloads_deinit(pf); +@@ -625,7 +625,7 @@ void ice_eswitch_release(struct ice_pf *pf) + return; + + ice_eswitch_disable_switchdev(pf); +- pf->switchdev.is_running = false; ++ pf->eswitch.is_running = false; + } + + /** +@@ -636,14 +636,15 @@ int ice_eswitch_configure(struct ice_pf *pf) + { + int status; + +- if (pf->eswitch_mode == DEVLINK_ESWITCH_MODE_LEGACY || pf->switchdev.is_running) ++ if (pf->eswitch_mode == DEVLINK_ESWITCH_MODE_LEGACY || ++ pf->eswitch.is_running) + return 0; + + status = ice_eswitch_enable_switchdev(pf); + if (status) + return status; + +- pf->switchdev.is_running = true; ++ pf->eswitch.is_running = true; + return 0; + } + +@@ -693,7 +694,7 @@ void ice_eswitch_stop_all_tx_queues(struct ice_pf *pf) + */ + int ice_eswitch_rebuild(struct ice_pf *pf) + { +- struct ice_vsi *ctrl_vsi = pf->switchdev.control_vsi; ++ struct ice_vsi *ctrl_vsi = pf->eswitch.control_vsi; + int status; + + ice_eswitch_napi_disable(pf); +diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch_br.c b/drivers/net/ethernet/intel/ice/ice_eswitch_br.c +index 67bfd1f61cdd4..8944f01e7a0b0 100644 +--- a/drivers/net/ethernet/intel/ice/ice_eswitch_br.c ++++ b/drivers/net/ethernet/intel/ice/ice_eswitch_br.c +@@ -947,7 +947,7 @@ ice_eswitch_br_vf_repr_port_init(struct ice_esw_br *bridge, + static int + ice_eswitch_br_uplink_port_init(struct ice_esw_br *bridge, struct ice_pf *pf) + { +- struct ice_vsi *vsi = pf->switchdev.uplink_vsi; ++ struct ice_vsi *vsi = pf->eswitch.uplink_vsi; + struct ice_esw_br_port *br_port; + int err; + +@@ -1185,7 +1185,7 @@ ice_eswitch_br_port_event(struct notifier_block *nb, + static void + ice_eswitch_br_offloads_dealloc(struct ice_pf *pf) + { +- struct ice_esw_br_offloads *br_offloads = pf->switchdev.br_offloads; ++ struct ice_esw_br_offloads *br_offloads = pf->eswitch.br_offloads; + + ASSERT_RTNL(); + +@@ -1194,7 +1194,7 @@ ice_eswitch_br_offloads_dealloc(struct ice_pf *pf) + + ice_eswitch_br_deinit(br_offloads, br_offloads->bridge); + +- pf->switchdev.br_offloads = NULL; ++ pf->eswitch.br_offloads = NULL; + kfree(br_offloads); + } + +@@ -1205,14 +1205,14 @@ ice_eswitch_br_offloads_alloc(struct ice_pf *pf) + + ASSERT_RTNL(); + +- if (pf->switchdev.br_offloads) ++ if (pf->eswitch.br_offloads) + return ERR_PTR(-EEXIST); + + br_offloads = kzalloc(sizeof(*br_offloads), GFP_KERNEL); + if (!br_offloads) + return ERR_PTR(-ENOMEM); + +- pf->switchdev.br_offloads = br_offloads; ++ pf->eswitch.br_offloads = br_offloads; + br_offloads->pf = pf; + + return br_offloads; +@@ -1223,7 +1223,7 @@ ice_eswitch_br_offloads_deinit(struct ice_pf *pf) + { + struct ice_esw_br_offloads *br_offloads; + +- br_offloads = pf->switchdev.br_offloads; ++ br_offloads = pf->eswitch.br_offloads; + if (!br_offloads) + return; + +diff --git a/drivers/net/ethernet/intel/ice/ice_tc_lib.c b/drivers/net/ethernet/intel/ice/ice_tc_lib.c +index 2bc89a8f6655f..c213121aa5010 100644 +--- a/drivers/net/ethernet/intel/ice/ice_tc_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_tc_lib.c +@@ -660,7 +660,7 @@ static int ice_tc_setup_redirect_action(struct net_device *filter_dev, + ice_tc_is_dev_uplink(target_dev)) { + repr = ice_netdev_to_repr(filter_dev); + +- fltr->dest_vsi = repr->src_vsi->back->switchdev.uplink_vsi; ++ fltr->dest_vsi = repr->src_vsi->back->eswitch.uplink_vsi; + fltr->direction = ICE_ESWITCH_FLTR_EGRESS; + } else if (ice_tc_is_dev_uplink(filter_dev) && + ice_is_port_repr_netdev(target_dev)) { +@@ -772,7 +772,7 @@ ice_eswitch_add_tc_fltr(struct ice_vsi *vsi, struct ice_tc_flower_fltr *fltr) + rule_info.sw_act.src = hw->pf_id; + rule_info.flags_info.act = ICE_SINGLE_ACT_LB_ENABLE; + } else if (fltr->direction == ICE_ESWITCH_FLTR_EGRESS && +- fltr->dest_vsi == vsi->back->switchdev.uplink_vsi) { ++ fltr->dest_vsi == vsi->back->eswitch.uplink_vsi) { + /* VF to Uplink */ + rule_info.sw_act.flag |= ICE_FLTR_TX; + rule_info.sw_act.src = vsi->idx; +-- +2.43.0 + diff --git a/queue-6.6/ice-set-correct-dst-vsi-in-only-lan-filters.patch b/queue-6.6/ice-set-correct-dst-vsi-in-only-lan-filters.patch new file mode 100644 index 00000000000..9edd0baf0b3 --- /dev/null +++ b/queue-6.6/ice-set-correct-dst-vsi-in-only-lan-filters.patch @@ -0,0 +1,67 @@ +From 47c3c720a33c5d12a08ce9db82691ac90a281359 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2024 12:14:01 +0200 +Subject: ice: set correct dst VSI in only LAN filters + +From: Michal Swiatkowski + +[ Upstream commit 839e3f9bee425c90a0423d14b102a42fe6635c73 ] + +The filters set that will reproduce the problem: +$ tc filter add dev $VF0_PR ingress protocol arp prio 0 flower \ + skip_sw dst_mac ff:ff:ff:ff:ff:ff action mirred egress \ + redirect dev $PF0 +$ tc filter add dev $VF0_PR ingress protocol arp prio 0 flower \ + skip_sw dst_mac ff:ff:ff:ff:ff:ff src_mac 52:54:00:00:00:10 \ + action mirred egress mirror dev $VF1_PR + +Expected behaviour is to set all broadcast from VF0 to the LAN. If the +src_mac match the value from filters, send packet to LAN and to VF1. + +In this case both LAN_EN and LB_EN flags in switch is set in case of +packet matching both filters. As dst VSI for the only LAN enable bit is +PF VSI, the packet is being seen on PF. To fix this change dst VSI to +the source VSI. It will block receiving any packet even when LB_EN is +set by switch, because local loopback is clear on VF VSI during normal +operation. + +Side note: if the second filters action is redirect instead of mirror +LAN_EN is clear, because switch is AND-ing LAN_EN from each matched +filters and OR-ing LB_EN. + +Reviewed-by: Przemek Kitszel +Fixes: 73b483b79029 ("ice: Manage act flags for switchdev offloads") +Signed-off-by: Michal Swiatkowski +Reviewed-by: Jacob Keller +Tested-by: Sujai Buvaneswaran +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_tc_lib.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_tc_lib.c b/drivers/net/ethernet/intel/ice/ice_tc_lib.c +index 76ad5930c0102..2bc89a8f6655f 100644 +--- a/drivers/net/ethernet/intel/ice/ice_tc_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_tc_lib.c +@@ -777,6 +777,17 @@ ice_eswitch_add_tc_fltr(struct ice_vsi *vsi, struct ice_tc_flower_fltr *fltr) + rule_info.sw_act.flag |= ICE_FLTR_TX; + rule_info.sw_act.src = vsi->idx; + rule_info.flags_info.act = ICE_SINGLE_ACT_LAN_ENABLE; ++ /* This is a specific case. The destination VSI index is ++ * overwritten by the source VSI index. This type of filter ++ * should allow the packet to go to the LAN, not to the ++ * VSI passed here. It should set LAN_EN bit only. However, ++ * the VSI must be a valid one. Setting source VSI index ++ * here is safe. Even if the result from switch is set LAN_EN ++ * and LB_EN (which normally will pass the packet to this VSI) ++ * packet won't be seen on the VSI, because local loopback is ++ * turned off. ++ */ ++ rule_info.sw_act.vsi_handle = vsi->idx; + } else { + /* VF to VF */ + rule_info.sw_act.flag |= ICE_FLTR_TX; +-- +2.43.0 + diff --git a/queue-6.6/igb-do-not-bring-the-device-up-after-non-fatal-error.patch b/queue-6.6/igb-do-not-bring-the-device-up-after-non-fatal-error.patch new file mode 100644 index 00000000000..e005b4874db --- /dev/null +++ b/queue-6.6/igb-do-not-bring-the-device-up-after-non-fatal-error.patch @@ -0,0 +1,96 @@ +From a4d881b20e0e12d5b13046eaee5776e68a4cd23d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:06:01 -0600 +Subject: igb: Do not bring the device up after non-fatal error + +From: Mohamed Khalfella + +[ Upstream commit 330a699ecbfc9c26ec92c6310686da1230b4e7eb ] + +Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal") +changed igb_io_error_detected() to ignore non-fatal pcie errors in order +to avoid hung task that can happen when igb_down() is called multiple +times. This caused an issue when processing transient non-fatal errors. +igb_io_resume(), which is called after igb_io_error_detected(), assumes +that device is brought down by igb_io_error_detected() if the interface +is up. This resulted in panic with stacktrace below. + +[ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down +[ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0 +[ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID) +[ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000 +[ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000 +[ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message +[ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported. +[ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message +[ T292] pcieport 0000:00:1c.5: AER: broadcast resume message +[ T292] ------------[ cut here ]------------ +[ T292] kernel BUG at net/core/dev.c:6539! +[ T292] invalid opcode: 0000 [#1] PREEMPT SMP +[ T292] RIP: 0010:napi_enable+0x37/0x40 +[ T292] Call Trace: +[ T292] +[ T292] ? die+0x33/0x90 +[ T292] ? do_trap+0xdc/0x110 +[ T292] ? napi_enable+0x37/0x40 +[ T292] ? do_error_trap+0x70/0xb0 +[ T292] ? napi_enable+0x37/0x40 +[ T292] ? napi_enable+0x37/0x40 +[ T292] ? exc_invalid_op+0x4e/0x70 +[ T292] ? napi_enable+0x37/0x40 +[ T292] ? asm_exc_invalid_op+0x16/0x20 +[ T292] ? napi_enable+0x37/0x40 +[ T292] igb_up+0x41/0x150 +[ T292] igb_io_resume+0x25/0x70 +[ T292] report_resume+0x54/0x70 +[ T292] ? report_frozen_detected+0x20/0x20 +[ T292] pci_walk_bus+0x6c/0x90 +[ T292] ? aer_print_port_info+0xa0/0xa0 +[ T292] pcie_do_recovery+0x22f/0x380 +[ T292] aer_process_err_devices+0x110/0x160 +[ T292] aer_isr+0x1c1/0x1e0 +[ T292] ? disable_irq_nosync+0x10/0x10 +[ T292] irq_thread_fn+0x1a/0x60 +[ T292] irq_thread+0xe3/0x1a0 +[ T292] ? irq_set_affinity_notifier+0x120/0x120 +[ T292] ? irq_affinity_notify+0x100/0x100 +[ T292] kthread+0xe2/0x110 +[ T292] ? kthread_complete_and_exit+0x20/0x20 +[ T292] ret_from_fork+0x2d/0x50 +[ T292] ? kthread_complete_and_exit+0x20/0x20 +[ T292] ret_from_fork_asm+0x11/0x20 +[ T292] + +To fix this issue igb_io_resume() checks if the interface is running and +the device is not down this means igb_io_error_detected() did not bring +the device down and there is no need to bring it up. + +Signed-off-by: Mohamed Khalfella +Reviewed-by: Yuanyuan Zhong +Fixes: 004d25060c78 ("igb: Fix igb_down hung on surprise removal") +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 986bcbf0a6aba..49b349fa22542 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9672,6 +9672,10 @@ static void igb_io_resume(struct pci_dev *pdev) + struct igb_adapter *adapter = netdev_priv(netdev); + + if (netif_running(netdev)) { ++ if (!test_bit(__IGB_DOWN, &adapter->state)) { ++ dev_dbg(&pdev->dev, "Resuming from non-fatal error, do nothing.\n"); ++ return; ++ } + if (igb_up(adapter)) { + dev_err(&pdev->dev, "igb_up failed after reset\n"); + return; +-- +2.43.0 + diff --git a/queue-6.6/mctp-handle-error-of-rtnl_register_module.patch b/queue-6.6/mctp-handle-error-of-rtnl_register_module.patch new file mode 100644 index 00000000000..401d981f7ec --- /dev/null +++ b/queue-6.6/mctp-handle-error-of-rtnl_register_module.patch @@ -0,0 +1,218 @@ +From 2a1fc42d461e67f50c45fdac90b8ef08cf876cce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 11:47:35 -0700 +Subject: mctp: Handle error of rtnl_register_module(). + +From: Kuniyuki Iwashima + +[ Upstream commit d51705614f668254cc5def7490df76f9680b4659 ] + +Since introduced, mctp has been ignoring the returned value of +rtnl_register_module(), which could fail silently. + +Handling the error allows users to view a module as an all-or-nothing +thing in terms of the rtnetlink functionality. This prevents syzkaller +from reporting spurious errors from its tests, where OOM often occurs +and module is automatically loaded. + +Let's handle the errors by rtnl_register_many(). + +Fixes: 583be982d934 ("mctp: Add device handling and netlink interface") +Fixes: 831119f88781 ("mctp: Add neighbour netlink interface") +Fixes: 06d2f4c583a7 ("mctp: Add netlink route management") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Jeremy Kerr +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/mctp.h | 2 +- + net/mctp/af_mctp.c | 6 +++++- + net/mctp/device.c | 30 ++++++++++++++++++------------ + net/mctp/neigh.c | 31 +++++++++++++++++++------------ + net/mctp/route.c | 33 +++++++++++++++++++++++---------- + 5 files changed, 66 insertions(+), 36 deletions(-) + +diff --git a/include/net/mctp.h b/include/net/mctp.h +index 2bff5f47ce82f..1eb1b4393e46b 100644 +--- a/include/net/mctp.h ++++ b/include/net/mctp.h +@@ -293,7 +293,7 @@ void mctp_neigh_remove_dev(struct mctp_dev *mdev); + int mctp_routes_init(void); + void mctp_routes_exit(void); + +-void mctp_device_init(void); ++int mctp_device_init(void); + void mctp_device_exit(void); + + #endif /* __NET_MCTP_H */ +diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c +index f6be58b68c6f3..28be85d055330 100644 +--- a/net/mctp/af_mctp.c ++++ b/net/mctp/af_mctp.c +@@ -676,10 +676,14 @@ static __init int mctp_init(void) + if (rc) + goto err_unreg_routes; + +- mctp_device_init(); ++ rc = mctp_device_init(); ++ if (rc) ++ goto err_unreg_neigh; + + return 0; + ++err_unreg_neigh: ++ mctp_neigh_exit(); + err_unreg_routes: + mctp_routes_exit(); + err_unreg_proto: +diff --git a/net/mctp/device.c b/net/mctp/device.c +index acb97b2574289..85cc5f31f1e7c 100644 +--- a/net/mctp/device.c ++++ b/net/mctp/device.c +@@ -524,25 +524,31 @@ static struct notifier_block mctp_dev_nb = { + .priority = ADDRCONF_NOTIFY_PRIORITY, + }; + +-void __init mctp_device_init(void) ++static const struct rtnl_msg_handler mctp_device_rtnl_msg_handlers[] = { ++ {THIS_MODULE, PF_MCTP, RTM_NEWADDR, mctp_rtm_newaddr, NULL, 0}, ++ {THIS_MODULE, PF_MCTP, RTM_DELADDR, mctp_rtm_deladdr, NULL, 0}, ++ {THIS_MODULE, PF_MCTP, RTM_GETADDR, NULL, mctp_dump_addrinfo, 0}, ++}; ++ ++int __init mctp_device_init(void) + { +- register_netdevice_notifier(&mctp_dev_nb); ++ int err; + +- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_GETADDR, +- NULL, mctp_dump_addrinfo, 0); +- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_NEWADDR, +- mctp_rtm_newaddr, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_DELADDR, +- mctp_rtm_deladdr, NULL, 0); ++ register_netdevice_notifier(&mctp_dev_nb); + rtnl_af_register(&mctp_af_ops); ++ ++ err = rtnl_register_many(mctp_device_rtnl_msg_handlers); ++ if (err) { ++ rtnl_af_unregister(&mctp_af_ops); ++ unregister_netdevice_notifier(&mctp_dev_nb); ++ } ++ ++ return err; + } + + void __exit mctp_device_exit(void) + { ++ rtnl_unregister_many(mctp_device_rtnl_msg_handlers); + rtnl_af_unregister(&mctp_af_ops); +- rtnl_unregister(PF_MCTP, RTM_DELADDR); +- rtnl_unregister(PF_MCTP, RTM_NEWADDR); +- rtnl_unregister(PF_MCTP, RTM_GETADDR); +- + unregister_netdevice_notifier(&mctp_dev_nb); + } +diff --git a/net/mctp/neigh.c b/net/mctp/neigh.c +index ffa0f9e0983fb..590f642413e4e 100644 +--- a/net/mctp/neigh.c ++++ b/net/mctp/neigh.c +@@ -322,22 +322,29 @@ static struct pernet_operations mctp_net_ops = { + .exit = mctp_neigh_net_exit, + }; + ++static const struct rtnl_msg_handler mctp_neigh_rtnl_msg_handlers[] = { ++ {THIS_MODULE, PF_MCTP, RTM_NEWNEIGH, mctp_rtm_newneigh, NULL, 0}, ++ {THIS_MODULE, PF_MCTP, RTM_DELNEIGH, mctp_rtm_delneigh, NULL, 0}, ++ {THIS_MODULE, PF_MCTP, RTM_GETNEIGH, NULL, mctp_rtm_getneigh, 0}, ++}; ++ + int __init mctp_neigh_init(void) + { +- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_NEWNEIGH, +- mctp_rtm_newneigh, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_DELNEIGH, +- mctp_rtm_delneigh, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_GETNEIGH, +- NULL, mctp_rtm_getneigh, 0); +- +- return register_pernet_subsys(&mctp_net_ops); ++ int err; ++ ++ err = register_pernet_subsys(&mctp_net_ops); ++ if (err) ++ return err; ++ ++ err = rtnl_register_many(mctp_neigh_rtnl_msg_handlers); ++ if (err) ++ unregister_pernet_subsys(&mctp_net_ops); ++ ++ return err; + } + +-void __exit mctp_neigh_exit(void) ++void mctp_neigh_exit(void) + { ++ rtnl_unregister_many(mctp_neigh_rtnl_msg_handlers); + unregister_pernet_subsys(&mctp_net_ops); +- rtnl_unregister(PF_MCTP, RTM_GETNEIGH); +- rtnl_unregister(PF_MCTP, RTM_DELNEIGH); +- rtnl_unregister(PF_MCTP, RTM_NEWNEIGH); + } +diff --git a/net/mctp/route.c b/net/mctp/route.c +index 01c530dbc1a65..c6a815df9d358 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -1410,26 +1410,39 @@ static struct pernet_operations mctp_net_ops = { + .exit = mctp_routes_net_exit, + }; + ++static const struct rtnl_msg_handler mctp_route_rtnl_msg_handlers[] = { ++ {THIS_MODULE, PF_MCTP, RTM_NEWROUTE, mctp_newroute, NULL, 0}, ++ {THIS_MODULE, PF_MCTP, RTM_DELROUTE, mctp_delroute, NULL, 0}, ++ {THIS_MODULE, PF_MCTP, RTM_GETROUTE, NULL, mctp_dump_rtinfo, 0}, ++}; ++ + int __init mctp_routes_init(void) + { ++ int err; ++ + dev_add_pack(&mctp_packet_type); + +- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_GETROUTE, +- NULL, mctp_dump_rtinfo, 0); +- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_NEWROUTE, +- mctp_newroute, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_DELROUTE, +- mctp_delroute, NULL, 0); ++ err = register_pernet_subsys(&mctp_net_ops); ++ if (err) ++ goto err_pernet; ++ ++ err = rtnl_register_many(mctp_route_rtnl_msg_handlers); ++ if (err) ++ goto err_rtnl; + +- return register_pernet_subsys(&mctp_net_ops); ++ return 0; ++ ++err_rtnl: ++ unregister_pernet_subsys(&mctp_net_ops); ++err_pernet: ++ dev_remove_pack(&mctp_packet_type); ++ return err; + } + + void mctp_routes_exit(void) + { ++ rtnl_unregister_many(mctp_route_rtnl_msg_handlers); + unregister_pernet_subsys(&mctp_net_ops); +- rtnl_unregister(PF_MCTP, RTM_DELROUTE); +- rtnl_unregister(PF_MCTP, RTM_NEWROUTE); +- rtnl_unregister(PF_MCTP, RTM_GETROUTE); + dev_remove_pack(&mctp_packet_type); + } + +-- +2.43.0 + diff --git a/queue-6.6/mpls-handle-error-of-rtnl_register_module.patch b/queue-6.6/mpls-handle-error-of-rtnl_register_module.patch new file mode 100644 index 00000000000..b62f58dd6a6 --- /dev/null +++ b/queue-6.6/mpls-handle-error-of-rtnl_register_module.patch @@ -0,0 +1,87 @@ +From 2bf9273c96e40673368dba3ab8f6a53e5aafbb9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 11:47:36 -0700 +Subject: mpls: Handle error of rtnl_register_module(). + +From: Kuniyuki Iwashima + +[ Upstream commit 5be2062e3080e3ff6707816caa445ec0c6eaacf7 ] + +Since introduced, mpls_init() has been ignoring the returned +value of rtnl_register_module(), which could fail silently. + +Handling the error allows users to view a module as an all-or-nothing +thing in terms of the rtnetlink functionality. This prevents syzkaller +from reporting spurious errors from its tests, where OOM often occurs +and module is automatically loaded. + +Let's handle the errors by rtnl_register_many(). + +Fixes: 03c0566542f4 ("mpls: Netlink commands to add, remove, and dump routes") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/mpls/af_mpls.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c +index ba034fcd59f0d..43e8343df0db7 100644 +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -2729,6 +2729,15 @@ static struct rtnl_af_ops mpls_af_ops __read_mostly = { + .get_stats_af_size = mpls_get_stats_af_size, + }; + ++static const struct rtnl_msg_handler mpls_rtnl_msg_handlers[] __initdata_or_module = { ++ {THIS_MODULE, PF_MPLS, RTM_NEWROUTE, mpls_rtm_newroute, NULL, 0}, ++ {THIS_MODULE, PF_MPLS, RTM_DELROUTE, mpls_rtm_delroute, NULL, 0}, ++ {THIS_MODULE, PF_MPLS, RTM_GETROUTE, mpls_getroute, mpls_dump_routes, 0}, ++ {THIS_MODULE, PF_MPLS, RTM_GETNETCONF, ++ mpls_netconf_get_devconf, mpls_netconf_dump_devconf, ++ RTNL_FLAG_DUMP_UNLOCKED}, ++}; ++ + static int __init mpls_init(void) + { + int err; +@@ -2747,24 +2756,25 @@ static int __init mpls_init(void) + + rtnl_af_register(&mpls_af_ops); + +- rtnl_register_module(THIS_MODULE, PF_MPLS, RTM_NEWROUTE, +- mpls_rtm_newroute, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_MPLS, RTM_DELROUTE, +- mpls_rtm_delroute, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_MPLS, RTM_GETROUTE, +- mpls_getroute, mpls_dump_routes, 0); +- rtnl_register_module(THIS_MODULE, PF_MPLS, RTM_GETNETCONF, +- mpls_netconf_get_devconf, +- mpls_netconf_dump_devconf, +- RTNL_FLAG_DUMP_UNLOCKED); +- err = ipgre_tunnel_encap_add_mpls_ops(); ++ err = rtnl_register_many(mpls_rtnl_msg_handlers); + if (err) ++ goto out_unregister_rtnl_af; ++ ++ err = ipgre_tunnel_encap_add_mpls_ops(); ++ if (err) { + pr_err("Can't add mpls over gre tunnel ops\n"); ++ goto out_unregister_rtnl; ++ } + + err = 0; + out: + return err; + ++out_unregister_rtnl: ++ rtnl_unregister_many(mpls_rtnl_msg_handlers); ++out_unregister_rtnl_af: ++ rtnl_af_unregister(&mpls_af_ops); ++ dev_remove_pack(&mpls_packet_type); + out_unregister_pernet: + unregister_pernet_subsys(&mpls_net_ops); + goto out; +-- +2.43.0 + diff --git a/queue-6.6/mpls-no-longer-hold-rtnl-in-mpls_netconf_dump_devcon.patch b/queue-6.6/mpls-no-longer-hold-rtnl-in-mpls_netconf_dump_devcon.patch new file mode 100644 index 00000000000..4eb5064adef --- /dev/null +++ b/queue-6.6/mpls-no-longer-hold-rtnl-in-mpls_netconf_dump_devcon.patch @@ -0,0 +1,129 @@ +From aea6a2fb49a166fb5dae848c92abd7943f047393 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 11:19:50 +0000 +Subject: mpls: no longer hold RTNL in mpls_netconf_dump_devconf() + +From: Eric Dumazet + +[ Upstream commit e0f89d2864b062b027196925ea19f94b2ce50d6a ] + +- Use for_each_netdev_dump() to no longer rely + on net->dev_index_head hash table. + +- No longer care of net->dev_base_seq + +- Fix return value at the end of a dump, + so that NLMSG_DONE can be appended to current skb, + saving one recvmsg() system call. + +- No longer grab RTNL, RCU protection is enough, + afer adding one READ_ONCE(mdev->input_enabled) + in mpls_netconf_fill_devconf() + +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240410111951.2673193-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 5be2062e3080 ("mpls: Handle error of rtnl_register_module().") +Signed-off-by: Sasha Levin +--- + net/mpls/af_mpls.c | 59 +++++++++++++++++----------------------------- + 1 file changed, 22 insertions(+), 37 deletions(-) + +diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c +index 1af29af653885..ba034fcd59f0d 100644 +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -1154,7 +1154,7 @@ static int mpls_netconf_fill_devconf(struct sk_buff *skb, struct mpls_dev *mdev, + + if ((all || type == NETCONFA_INPUT) && + nla_put_s32(skb, NETCONFA_INPUT, +- mdev->input_enabled) < 0) ++ READ_ONCE(mdev->input_enabled)) < 0) + goto nla_put_failure; + + nlmsg_end(skb, nlh); +@@ -1303,11 +1303,12 @@ static int mpls_netconf_dump_devconf(struct sk_buff *skb, + { + const struct nlmsghdr *nlh = cb->nlh; + struct net *net = sock_net(skb->sk); +- struct hlist_head *head; ++ struct { ++ unsigned long ifindex; ++ } *ctx = (void *)cb->ctx; + struct net_device *dev; + struct mpls_dev *mdev; +- int idx, s_idx; +- int h, s_h; ++ int err = 0; + + if (cb->strict_check) { + struct netlink_ext_ack *extack = cb->extack; +@@ -1324,40 +1325,23 @@ static int mpls_netconf_dump_devconf(struct sk_buff *skb, + } + } + +- s_h = cb->args[0]; +- s_idx = idx = cb->args[1]; +- +- for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { +- idx = 0; +- head = &net->dev_index_head[h]; +- rcu_read_lock(); +- cb->seq = net->dev_base_seq; +- hlist_for_each_entry_rcu(dev, head, index_hlist) { +- if (idx < s_idx) +- goto cont; +- mdev = mpls_dev_get(dev); +- if (!mdev) +- goto cont; +- if (mpls_netconf_fill_devconf(skb, mdev, +- NETLINK_CB(cb->skb).portid, +- nlh->nlmsg_seq, +- RTM_NEWNETCONF, +- NLM_F_MULTI, +- NETCONFA_ALL) < 0) { +- rcu_read_unlock(); +- goto done; +- } +- nl_dump_check_consistent(cb, nlmsg_hdr(skb)); +-cont: +- idx++; +- } +- rcu_read_unlock(); ++ rcu_read_lock(); ++ for_each_netdev_dump(net, dev, ctx->ifindex) { ++ mdev = mpls_dev_get(dev); ++ if (!mdev) ++ continue; ++ err = mpls_netconf_fill_devconf(skb, mdev, ++ NETLINK_CB(cb->skb).portid, ++ nlh->nlmsg_seq, ++ RTM_NEWNETCONF, ++ NLM_F_MULTI, ++ NETCONFA_ALL); ++ if (err < 0) ++ break; + } +-done: +- cb->args[0] = h; +- cb->args[1] = idx; ++ rcu_read_unlock(); + +- return skb->len; ++ return err; + } + + #define MPLS_PERDEV_SYSCTL_OFFSET(field) \ +@@ -2771,7 +2755,8 @@ static int __init mpls_init(void) + mpls_getroute, mpls_dump_routes, 0); + rtnl_register_module(THIS_MODULE, PF_MPLS, RTM_GETNETCONF, + mpls_netconf_get_devconf, +- mpls_netconf_dump_devconf, 0); ++ mpls_netconf_dump_devconf, ++ RTNL_FLAG_DUMP_UNLOCKED); + err = ipgre_tunnel_encap_add_mpls_ops(); + if (err) + pr_err("Can't add mpls over gre tunnel ops\n"); +-- +2.43.0 + diff --git a/queue-6.6/net-do-not-delay-dst_entries_add-in-dst_release.patch b/queue-6.6/net-do-not-delay-dst_entries_add-in-dst_release.patch new file mode 100644 index 00000000000..79f3113faed --- /dev/null +++ b/queue-6.6/net-do-not-delay-dst_entries_add-in-dst_release.patch @@ -0,0 +1,94 @@ +From 4445274f215ff5d99cdffa3ce60dc1d30bbb05a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 14:31:10 +0000 +Subject: net: do not delay dst_entries_add() in dst_release() + +From: Eric Dumazet + +[ Upstream commit ac888d58869bb99753e7652be19a151df9ecb35d ] + +dst_entries_add() uses per-cpu data that might be freed at netns +dismantle from ip6_route_net_exit() calling dst_entries_destroy() + +Before ip6_route_net_exit() can be called, we release all +the dsts associated with this netns, via calls to dst_release(), +which waits an rcu grace period before calling dst_destroy() + +dst_entries_add() use in dst_destroy() is racy, because +dst_entries_destroy() could have been called already. + +Decrementing the number of dsts must happen sooner. + +Notes: + +1) in CONFIG_XFRM case, dst_destroy() can call + dst_release_immediate(child), this might also cause UAF + if the child does not have DST_NOCOUNT set. + IPSEC maintainers might take a look and see how to address this. + +2) There is also discussion about removing this count of dst, + which might happen in future kernels. + +Fixes: f88649721268 ("ipv4: fix dst race in sk_dst_get()") +Closes: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnkjaL=w@mail.gmail.com/T/ +Reported-by: Naresh Kamboju +Tested-by: Linux Kernel Functional Testing +Tested-by: Naresh Kamboju +Signed-off-by: Eric Dumazet +Cc: Xin Long +Cc: Steffen Klassert +Reviewed-by: Xin Long +Link: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dst.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/net/core/dst.c b/net/core/dst.c +index 980e2fd2f013b..137b8d1c72203 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -109,9 +109,6 @@ struct dst_entry *dst_destroy(struct dst_entry * dst) + child = xdst->child; + } + #endif +- if (!(dst->flags & DST_NOCOUNT)) +- dst_entries_add(dst->ops, -1); +- + if (dst->ops->destroy) + dst->ops->destroy(dst); + netdev_put(dst->dev, &dst->dev_tracker); +@@ -161,17 +158,27 @@ void dst_dev_put(struct dst_entry *dst) + } + EXPORT_SYMBOL(dst_dev_put); + ++static void dst_count_dec(struct dst_entry *dst) ++{ ++ if (!(dst->flags & DST_NOCOUNT)) ++ dst_entries_add(dst->ops, -1); ++} ++ + void dst_release(struct dst_entry *dst) + { +- if (dst && rcuref_put(&dst->__rcuref)) ++ if (dst && rcuref_put(&dst->__rcuref)) { ++ dst_count_dec(dst); + call_rcu_hurry(&dst->rcu_head, dst_destroy_rcu); ++ } + } + EXPORT_SYMBOL(dst_release); + + void dst_release_immediate(struct dst_entry *dst) + { +- if (dst && rcuref_put(&dst->__rcuref)) ++ if (dst && rcuref_put(&dst->__rcuref)) { ++ dst_count_dec(dst); + dst_destroy(dst); ++ } + } + EXPORT_SYMBOL(dst_release_immediate); + +-- +2.43.0 + diff --git a/queue-6.6/net-dsa-b53-allow-lower-mtus-on-bcm5325-5365.patch b/queue-6.6/net-dsa-b53-allow-lower-mtus-on-bcm5325-5365.patch new file mode 100644 index 00000000000..80aa33421b3 --- /dev/null +++ b/queue-6.6/net-dsa-b53-allow-lower-mtus-on-bcm5325-5365.patch @@ -0,0 +1,38 @@ +From 5a26cfe607fde7d7fb66eedf8694c86502671097 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 10:47:20 +0200 +Subject: net: dsa: b53: allow lower MTUs on BCM5325/5365 + +From: Jonas Gorski + +[ Upstream commit e4b294f88a32438baf31762441f3dd1c996778be ] + +While BCM5325/5365 do not support jumbo frames, they do support slightly +oversized frames, so do not error out if requesting a supported MTU for +them. + +Fixes: 6ae5834b983a ("net: dsa: b53: add MTU configuration support") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index b43b414b26969..51b41eb660134 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -2267,7 +2267,7 @@ static int b53_change_mtu(struct dsa_switch *ds, int port, int mtu) + bool allow_10_100; + + if (is5325(dev) || is5365(dev)) +- return -EOPNOTSUPP; ++ return 0; + + if (!dsa_is_cpu_port(ds, port)) + return 0; +-- +2.43.0 + diff --git a/queue-6.6/net-dsa-b53-fix-jumbo-frame-mtu-check.patch b/queue-6.6/net-dsa-b53-fix-jumbo-frame-mtu-check.patch new file mode 100644 index 00000000000..24803afc54b --- /dev/null +++ b/queue-6.6/net-dsa-b53-fix-jumbo-frame-mtu-check.patch @@ -0,0 +1,49 @@ +From f6ae36e3543d44a33e4241a0e6a366491fa33b8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 10:47:17 +0200 +Subject: net: dsa: b53: fix jumbo frame mtu check + +From: Jonas Gorski + +[ Upstream commit 42fb3acf6826c6764ba79feb6e15229b43fd2f9f ] + +JMS_MIN_SIZE is the full ethernet frame length, while mtu is just the +data payload size. Comparing these two meant that mtus between 1500 and +1518 did not trigger enabling jumbo frames. + +So instead compare the set mtu ETH_DATA_LEN, which is equal to +JMS_MIN_SIZE - ETH_HLEN - ETH_FCS_LEN; + +Also do a check that the requested mtu is actually greater than the +minimum length, else we do not need to enable jumbo frames. + +In practice this only introduced a very small range of mtus that did not +work properly. Newer chips allow 2000 byte large frames by default, and +older chips allow 1536 bytes long, which is equivalent to an mtu of +1514. So effectivly only mtus of 1515~1517 were broken. + +Fixes: 6ae5834b983a ("net: dsa: b53: add MTU configuration support") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index ae1c4dc35fe33..492e5eb931a6f 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -2268,7 +2268,7 @@ static int b53_change_mtu(struct dsa_switch *ds, int port, int mtu) + if (!dsa_is_cpu_port(ds, port)) + return 0; + +- enable_jumbo = (mtu >= JMS_MIN_SIZE); ++ enable_jumbo = (mtu > ETH_DATA_LEN); + allow_10_100 = (dev->chip_id == BCM583XX_DEVICE_ID); + + return b53_set_jumbo(dev, enable_jumbo, allow_10_100); +-- +2.43.0 + diff --git a/queue-6.6/net-dsa-b53-fix-jumbo-frames-on-10-100-ports.patch b/queue-6.6/net-dsa-b53-fix-jumbo-frames-on-10-100-ports.patch new file mode 100644 index 00000000000..02d6b276e68 --- /dev/null +++ b/queue-6.6/net-dsa-b53-fix-jumbo-frames-on-10-100-ports.patch @@ -0,0 +1,42 @@ +From 11a81180e58ba9b4c79bd68e1bf8b5a336f87043 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 10:47:21 +0200 +Subject: net: dsa: b53: fix jumbo frames on 10/100 ports + +From: Jonas Gorski + +[ Upstream commit 2f3dcd0d39affe5b9ba1c351ce0e270c8bdd5109 ] + +All modern chips support and need the 10_100 bit set for supporting jumbo +frames on 10/100 ports, so instead of enabling it only for 583XX enable +it for everything except bcm63xx, where the bit is writeable, but does +nothing. + +Tested on BCM53115, where jumbo frames were dropped at 10/100 speeds +without the bit set. + +Fixes: 6ae5834b983a ("net: dsa: b53: add MTU configuration support") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 51b41eb660134..4a2c9a9134d8c 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -2273,7 +2273,7 @@ static int b53_change_mtu(struct dsa_switch *ds, int port, int mtu) + return 0; + + enable_jumbo = (mtu > ETH_DATA_LEN); +- allow_10_100 = (dev->chip_id == BCM583XX_DEVICE_ID); ++ allow_10_100 = !is63xx(dev); + + return b53_set_jumbo(dev, enable_jumbo, allow_10_100); + } +-- +2.43.0 + diff --git a/queue-6.6/net-dsa-b53-fix-max-mtu-for-1g-switches.patch b/queue-6.6/net-dsa-b53-fix-max-mtu-for-1g-switches.patch new file mode 100644 index 00000000000..057f2247b4d --- /dev/null +++ b/queue-6.6/net-dsa-b53-fix-max-mtu-for-1g-switches.patch @@ -0,0 +1,58 @@ +From 0b353e9833f976cb8039c3f4ba685788d6645991 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 10:47:18 +0200 +Subject: net: dsa: b53: fix max MTU for 1g switches + +From: Jonas Gorski + +[ Upstream commit 680a8217dc00dc7e7da57888b3c053289b60eb2b ] + +JMS_MAX_SIZE is the ethernet frame length, not the MTU, which is payload +without ethernet headers. + +According to the datasheets maximum supported frame length for most +gigabyte swithes is 9720 bytes, so convert that to the expected MTU when +using VLAN tagged frames. + +Fixes: 6ae5834b983a ("net: dsa: b53: add MTU configuration support") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 492e5eb931a6f..0a1f7f1315721 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + + #include "b53_regs.h" +@@ -224,6 +225,8 @@ static const struct b53_mib_desc b53_mibs_58xx[] = { + + #define B53_MIBS_58XX_SIZE ARRAY_SIZE(b53_mibs_58xx) + ++#define B53_MAX_MTU (9720 - ETH_HLEN - VLAN_HLEN - ETH_FCS_LEN) ++ + static int b53_do_vlan_op(struct b53_device *dev, u8 op) + { + unsigned int i; +@@ -2276,7 +2279,7 @@ static int b53_change_mtu(struct dsa_switch *ds, int port, int mtu) + + static int b53_get_max_mtu(struct dsa_switch *ds, int port) + { +- return JMS_MAX_SIZE; ++ return B53_MAX_MTU; + } + + static const struct dsa_switch_ops b53_switch_ops = { +-- +2.43.0 + diff --git a/queue-6.6/net-dsa-b53-fix-max-mtu-for-bcm5325-bcm5365.patch b/queue-6.6/net-dsa-b53-fix-max-mtu-for-bcm5325-bcm5365.patch new file mode 100644 index 00000000000..3fcf677f8ba --- /dev/null +++ b/queue-6.6/net-dsa-b53-fix-max-mtu-for-bcm5325-bcm5365.patch @@ -0,0 +1,49 @@ +From 570ab7d57ba040260575bf07f9de048333e53f51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 10:47:19 +0200 +Subject: net: dsa: b53: fix max MTU for BCM5325/BCM5365 + +From: Jonas Gorski + +[ Upstream commit ca8c1f71c10193c270f772d70d34b15ad765d6a8 ] + +BCM5325/BCM5365 do not support jumbo frames, so we should not report a +jumbo frame mtu for them. But they do support so called "oversized" +frames up to 1536 bytes long by default, so report an appropriate MTU. + +Fixes: 6ae5834b983a ("net: dsa: b53: add MTU configuration support") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 0a1f7f1315721..b43b414b26969 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -225,6 +225,7 @@ static const struct b53_mib_desc b53_mibs_58xx[] = { + + #define B53_MIBS_58XX_SIZE ARRAY_SIZE(b53_mibs_58xx) + ++#define B53_MAX_MTU_25 (1536 - ETH_HLEN - VLAN_HLEN - ETH_FCS_LEN) + #define B53_MAX_MTU (9720 - ETH_HLEN - VLAN_HLEN - ETH_FCS_LEN) + + static int b53_do_vlan_op(struct b53_device *dev, u8 op) +@@ -2279,6 +2280,11 @@ static int b53_change_mtu(struct dsa_switch *ds, int port, int mtu) + + static int b53_get_max_mtu(struct dsa_switch *ds, int port) + { ++ struct b53_device *dev = ds->priv; ++ ++ if (is5325(dev) || is5365(dev)) ++ return B53_MAX_MTU_25; ++ + return B53_MAX_MTU; + } + +-- +2.43.0 + diff --git a/queue-6.6/net-ethernet-adi-adin1110-fix-some-error-handling-pa.patch b/queue-6.6/net-ethernet-adi-adin1110-fix-some-error-handling-pa.patch new file mode 100644 index 00000000000..2c8c4b3be66 --- /dev/null +++ b/queue-6.6/net-ethernet-adi-adin1110-fix-some-error-handling-pa.patch @@ -0,0 +1,48 @@ +From e844d02dd003ade3c664f4341a93d73e0a09110c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2024 20:53:15 +0200 +Subject: net: ethernet: adi: adin1110: Fix some error handling path in + adin1110_read_fifo() + +From: Christophe JAILLET + +[ Upstream commit 83211ae1640516accae645de82f5a0a142676897 ] + +If 'frame_size' is too small or if 'round_len' is an error code, it is +likely that an error code should be returned to the caller. + +Actually, 'ret' is likely to be 0, so if one of these sanity checks fails, +'success' is returned. + +Return -EINVAL instead. + +Fixes: bc93e19d088b ("net: ethernet: adi: Add ADIN1110 support") +Signed-off-by: Christophe JAILLET +Link: https://patch.msgid.link/8ff73b40f50d8fa994a454911b66adebce8da266.1727981562.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/adi/adin1110.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c +index d7c274af6d4da..3c26176316a38 100644 +--- a/drivers/net/ethernet/adi/adin1110.c ++++ b/drivers/net/ethernet/adi/adin1110.c +@@ -318,11 +318,11 @@ static int adin1110_read_fifo(struct adin1110_port_priv *port_priv) + * from the ADIN1110 frame header. + */ + if (frame_size < ADIN1110_FRAME_HEADER_LEN + ADIN1110_FEC_LEN) +- return ret; ++ return -EINVAL; + + round_len = adin1110_round_len(frame_size); + if (round_len < 0) +- return ret; ++ return -EINVAL; + + frame_size_no_fcs = frame_size - ADIN1110_FRAME_HEADER_LEN - ADIN1110_FEC_LEN; + memset(priv->data, 0, ADIN1110_RD_HEADER_LEN); +-- +2.43.0 + diff --git a/queue-6.6/net-ibm-emac-mal-fix-wrong-goto.patch b/queue-6.6/net-ibm-emac-mal-fix-wrong-goto.patch new file mode 100644 index 00000000000..558f2239915 --- /dev/null +++ b/queue-6.6/net-ibm-emac-mal-fix-wrong-goto.patch @@ -0,0 +1,36 @@ +From 22e6606380d2dfb5e50baeee46434aaa8e1c44e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 16:57:11 -0700 +Subject: net: ibm: emac: mal: fix wrong goto + +From: Rosen Penev + +[ Upstream commit 08c8acc9d8f3f70d62dd928571368d5018206490 ] + +dcr_map is called in the previous if and therefore needs to be unmapped. + +Fixes: 1ff0fcfcb1a6 ("ibm_newemac: Fix new MAL feature handling") +Signed-off-by: Rosen Penev +Link: https://patch.msgid.link/20241007235711.5714-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/emac/mal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ibm/emac/mal.c b/drivers/net/ethernet/ibm/emac/mal.c +index c3236b59e7e93..3578b7d720c06 100644 +--- a/drivers/net/ethernet/ibm/emac/mal.c ++++ b/drivers/net/ethernet/ibm/emac/mal.c +@@ -578,7 +578,7 @@ static int mal_probe(struct platform_device *ofdev) + printk(KERN_ERR "%pOF: Support for 405EZ not enabled!\n", + ofdev->dev.of_node); + err = -ENODEV; +- goto fail; ++ goto fail_unmap; + #endif + } + +-- +2.43.0 + diff --git a/queue-6.6/net-phy-bcm84881-fix-some-error-handling-paths.patch b/queue-6.6/net-phy-bcm84881-fix-some-error-handling-paths.patch new file mode 100644 index 00000000000..bdb420b2399 --- /dev/null +++ b/queue-6.6/net-phy-bcm84881-fix-some-error-handling-paths.patch @@ -0,0 +1,46 @@ +From 1cab006477f3725a453540d9d6b4c01e2182b348 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2024 21:03:21 +0200 +Subject: net: phy: bcm84881: Fix some error handling paths + +From: Christophe JAILLET + +[ Upstream commit 9234a2549cb6ac038bec36cc7c084218e9575513 ] + +If phy_read_mmd() fails, the error code stored in 'bmsr' should be returned +instead of 'val' which is likely to be 0. + +Fixes: 75f4d8d10e01 ("net: phy: add Broadcom BCM84881 PHY driver") +Signed-off-by: Christophe JAILLET +Link: https://patch.msgid.link/3e1755b0c40340d00e089d6adae5bca2f8c79e53.1727982168.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/bcm84881.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/bcm84881.c b/drivers/net/phy/bcm84881.c +index 9717a1626f3fa..37a64a37b2ae3 100644 +--- a/drivers/net/phy/bcm84881.c ++++ b/drivers/net/phy/bcm84881.c +@@ -120,7 +120,7 @@ static int bcm84881_aneg_done(struct phy_device *phydev) + + bmsr = phy_read_mmd(phydev, MDIO_MMD_AN, MDIO_AN_C22 + MII_BMSR); + if (bmsr < 0) +- return val; ++ return bmsr; + + return !!(val & MDIO_AN_STAT1_COMPLETE) && + !!(bmsr & BMSR_ANEGCOMPLETE); +@@ -146,7 +146,7 @@ static int bcm84881_read_status(struct phy_device *phydev) + + bmsr = phy_read_mmd(phydev, MDIO_MMD_AN, MDIO_AN_C22 + MII_BMSR); + if (bmsr < 0) +- return val; ++ return bmsr; + + phydev->autoneg_complete = !!(val & MDIO_AN_STAT1_COMPLETE) && + !!(bmsr & BMSR_ANEGCOMPLETE); +-- +2.43.0 + diff --git a/queue-6.6/net-phy-dp83869-fix-memory-corruption-when-enabling-.patch b/queue-6.6/net-phy-dp83869-fix-memory-corruption-when-enabling-.patch new file mode 100644 index 00000000000..06d50ef4a71 --- /dev/null +++ b/queue-6.6/net-phy-dp83869-fix-memory-corruption-when-enabling-.patch @@ -0,0 +1,43 @@ +From 238e9959fa42d5721107b6e0bb4e7fde3929b574 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 18:18:07 +0200 +Subject: net: phy: dp83869: fix memory corruption when enabling fiber + +From: Ingo van Lil + +[ Upstream commit a842e443ca8184f2dc82ab307b43a8b38defd6a5 ] + +When configuring the fiber port, the DP83869 PHY driver incorrectly +calls linkmode_set_bit() with a bit mask (1 << 10) rather than a bit +number (10). This corrupts some other memory location -- in case of +arm64 the priv pointer in the same structure. + +Since the advertising flags are updated from supported at the end of the +function the incorrect line isn't needed at all and can be removed. + +Fixes: a29de52ba2a1 ("net: dp83869: Add ability to advertise Fiber connection") +Signed-off-by: Ingo van Lil +Reviewed-by: Alexander Sverdlin +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20241002161807.440378-1-inguin@gmx.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83869.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/phy/dp83869.c b/drivers/net/phy/dp83869.c +index d7aaefb5226b6..5f056d7db83ee 100644 +--- a/drivers/net/phy/dp83869.c ++++ b/drivers/net/phy/dp83869.c +@@ -645,7 +645,6 @@ static int dp83869_configure_fiber(struct phy_device *phydev, + phydev->supported); + + linkmode_set_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, phydev->supported); +- linkmode_set_bit(ADVERTISED_FIBRE, phydev->advertising); + + if (dp83869->mode == DP83869_RGMII_1000_BASE) { + linkmode_set_bit(ETHTOOL_LINK_MODE_1000baseX_Full_BIT, +-- +2.43.0 + diff --git a/queue-6.6/net-sched-accept-tca_stab-only-for-root-qdisc.patch b/queue-6.6/net-sched-accept-tca_stab-only-for-root-qdisc.patch new file mode 100644 index 00000000000..ca9067c900c --- /dev/null +++ b/queue-6.6/net-sched-accept-tca_stab-only-for-root-qdisc.patch @@ -0,0 +1,150 @@ +From 518de2eb04863dc1eb13caa1ac05d4b3acbaa0c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 18:41:30 +0000 +Subject: net/sched: accept TCA_STAB only for root qdisc + +From: Eric Dumazet + +[ Upstream commit 3cb7cf1540ddff5473d6baeb530228d19bc97b8a ] + +Most qdiscs maintain their backlog using qdisc_pkt_len(skb) +on the assumption it is invariant between the enqueue() +and dequeue() handlers. + +Unfortunately syzbot can crash a host rather easily using +a TBF + SFQ combination, with an STAB on SFQ [1] + +We can't support TCA_STAB on arbitrary level, this would +require to maintain per-qdisc storage. + +[1] +[ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 88.798611] #PF: supervisor read access in kernel mode +[ 88.799014] #PF: error_code(0x0000) - not-present page +[ 88.799506] PGD 0 P4D 0 +[ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI +[ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117 +[ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq +[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00 +All code +======== + 0: 0f b7 50 12 movzwl 0x12(%rax),%edx + 4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax + b: 00 + c: 48 89 d6 mov %rdx,%rsi + f: 48 29 d0 sub %rdx,%rax + 12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx + 19: 48 c1 e0 03 shl $0x3,%rax + 1d: 48 01 c2 add %rax,%rdx + 20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx) + 25: 7e c0 jle 0xffffffffffffffe7 + 27: 48 8b 3a mov (%rdx),%rdi + 2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction + 2d: 4c 89 02 mov %r8,(%rdx) + 30: 49 89 50 08 mov %rdx,0x8(%r8) + 34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) + 3b: 00 + 3c: 48 rex.W + 3d: c7 .byte 0xc7 + 3e: 07 (bad) + ... + +Code starting with the faulting instruction +=========================================== + 0: 4c 8b 07 mov (%rdi),%r8 + 3: 4c 89 02 mov %r8,(%rdx) + 6: 49 89 50 08 mov %rdx,0x8(%r8) + a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) + 11: 00 + 12: 48 rex.W + 13: c7 .byte 0xc7 + 14: 07 (bad) + ... +[ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206 +[ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800 +[ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000 +[ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f +[ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140 +[ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac +[ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000 +[ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0 +[ 88.808165] Call Trace: +[ 88.808459] +[ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) +[ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715) +[ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) +[ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) +[ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq +[ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq +[ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_generic.c:1036) +[ 88.810950] tbf_reset (./include/linux/timekeeping.h:169 net/sched/sch_tbf.c:334) sch_tbf +[ 88.811208] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_generic.c:1036) +[ 88.811484] netif_set_real_num_tx_queues (./include/linux/spinlock.h:396 ./include/net/sch_generic.h:768 net/core/dev.c:2958) +[ 88.811870] __tun_detach (drivers/net/tun.c:590 drivers/net/tun.c:673) +[ 88.812271] tun_chr_close (drivers/net/tun.c:702 drivers/net/tun.c:3517) +[ 88.812505] __fput (fs/file_table.c:432 (discriminator 1)) +[ 88.812735] task_work_run (kernel/task_work.c:230) +[ 88.813016] do_exit (kernel/exit.c:940) +[ 88.813372] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4)) +[ 88.813639] ? handle_mm_fault (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/memcontrol.h:1022 ./include/linux/memcontrol.h:1045 ./include/linux/memcontrol.h:1052 mm/memory.c:5928 mm/memory.c:6088) +[ 88.813867] do_group_exit (kernel/exit.c:1070) +[ 88.814138] __x64_sys_exit_group (kernel/exit.c:1099) +[ 88.814490] x64_sys_call (??:?) +[ 88.814791] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) +[ 88.815012] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 88.815495] RIP: 0033:0x7f44560f1975 + +Fixes: 175f9c1bba9b ("net_sched: Add size table for qdiscs") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Daniel Borkmann +Link: https://patch.msgid.link/20241007184130.3960565-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 1 - + net/sched/sch_api.c | 7 ++++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 2799d44e5b979..326d3a322c109 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -845,7 +845,6 @@ static inline void qdisc_calculate_pkt_len(struct sk_buff *skb, + static inline int qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch, + struct sk_buff **to_free) + { +- qdisc_calculate_pkt_len(skb, sch); + return sch->enqueue(skb, sch, to_free); + } + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 0feb824242a68..1455892694c00 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -593,7 +593,6 @@ void __qdisc_calculate_pkt_len(struct sk_buff *skb, + pkt_len = 1; + qdisc_skb_cb(skb)->pkt_len = pkt_len; + } +-EXPORT_SYMBOL(__qdisc_calculate_pkt_len); + + void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc) + { +@@ -1172,6 +1171,12 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, + return -EINVAL; + } + ++ if (new && ++ !(parent->flags & TCQ_F_MQROOT) && ++ rcu_access_pointer(new->stab)) { ++ NL_SET_ERR_MSG(extack, "STAB not supported on a non root"); ++ return -EINVAL; ++ } + err = cops->graft(parent, cl, new, &old, extack); + if (err) + return err; +-- +2.43.0 + diff --git a/queue-6.6/netfilter-br_netfilter-fix-panic-with-metadata_dst-s.patch b/queue-6.6/netfilter-br_netfilter-fix-panic-with-metadata_dst-s.patch new file mode 100644 index 00000000000..371d59f7324 --- /dev/null +++ b/queue-6.6/netfilter-br_netfilter-fix-panic-with-metadata_dst-s.patch @@ -0,0 +1,179 @@ +From af5aa81e1d74aac0f212564ea4094197934e7dc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 08:43:59 -0700 +Subject: netfilter: br_netfilter: fix panic with metadata_dst skb + +From: Andy Roulin + +[ Upstream commit f9ff7665cd128012868098bbd07e28993e314fdb ] + +Fix a kernel panic in the br_netfilter module when sending untagged +traffic via a VxLAN device. +This happens during the check for fragmentation in br_nf_dev_queue_xmit. + +It is dependent on: +1) the br_netfilter module being loaded; +2) net.bridge.bridge-nf-call-iptables set to 1; +3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port; +4) untagged frames with size higher than the VxLAN MTU forwarded/flooded + +When forwarding the untagged packet to the VxLAN bridge port, before +the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and +changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type +of dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL. + +Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check +for frames that needs to be fragmented: frames with higher MTU than the +VxLAN device end up calling br_nf_ip_fragment, which in turns call +ip_skb_dst_mtu. + +The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst +with valid dst->dev, thus the crash. + +This case was never supported in the first place, so drop the packet +instead. + +PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data. +[ 176.291791] Unable to handle kernel NULL pointer dereference at +virtual address 0000000000000110 +[ 176.292101] Mem abort info: +[ 176.292184] ESR = 0x0000000096000004 +[ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits +[ 176.292530] SET = 0, FnV = 0 +[ 176.292709] EA = 0, S1PTW = 0 +[ 176.292862] FSC = 0x04: level 0 translation fault +[ 176.293013] Data abort info: +[ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 +[ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000 +[ 176.294166] [0000000000000110] pgd=0000000000000000, +p4d=0000000000000000 +[ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP +[ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth +br_netfilter bridge stp llc ipv6 crct10dif_ce +[ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted +6.8.0-rc3-g5b3fbd61b9d1 #2 +[ 176.296314] Hardware name: linux,dummy-virt (DT) +[ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS +BTYPE=--) +[ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] +[ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter] +[ 176.297636] sp : ffff800080003630 +[ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27: +ffff6828c49ad9f8 +[ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24: +00000000000003e8 +[ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21: +ffff6828c3b16d28 +[ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18: +0000000000000014 +[ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15: +0000000095744632 +[ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12: +ffffb7e137926a70 +[ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 : +0000000000000000 +[ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 : +f20e0100bebafeca +[ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 : +0000000000000000 +[ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 : +ffff6828c7f918f0 +[ 176.300889] Call trace: +[ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] +[ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter] +[ 176.301703] nf_hook_slow+0x48/0x124 +[ 176.302060] br_forward_finish+0xc8/0xe8 [bridge] +[ 176.302371] br_nf_hook_thresh+0x124/0x134 [br_netfilter] +[ 176.302605] br_nf_forward_finish+0x118/0x22c [br_netfilter] +[ 176.302824] br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter] +[ 176.303136] br_nf_forward+0x2b8/0x4e0 [br_netfilter] +[ 176.303359] nf_hook_slow+0x48/0x124 +[ 176.303803] __br_forward+0xc4/0x194 [bridge] +[ 176.304013] br_flood+0xd4/0x168 [bridge] +[ 176.304300] br_handle_frame_finish+0x1d4/0x5c4 [bridge] +[ 176.304536] br_nf_hook_thresh+0x124/0x134 [br_netfilter] +[ 176.304978] br_nf_pre_routing_finish+0x29c/0x494 [br_netfilter] +[ 176.305188] br_nf_pre_routing+0x250/0x524 [br_netfilter] +[ 176.305428] br_handle_frame+0x244/0x3cc [bridge] +[ 176.305695] __netif_receive_skb_core.constprop.0+0x33c/0xecc +[ 176.306080] __netif_receive_skb_one_core+0x40/0x8c +[ 176.306197] __netif_receive_skb+0x18/0x64 +[ 176.306369] process_backlog+0x80/0x124 +[ 176.306540] __napi_poll+0x38/0x17c +[ 176.306636] net_rx_action+0x124/0x26c +[ 176.306758] __do_softirq+0x100/0x26c +[ 176.307051] ____do_softirq+0x10/0x1c +[ 176.307162] call_on_irq_stack+0x24/0x4c +[ 176.307289] do_softirq_own_stack+0x1c/0x2c +[ 176.307396] do_softirq+0x54/0x6c +[ 176.307485] __local_bh_enable_ip+0x8c/0x98 +[ 176.307637] __dev_queue_xmit+0x22c/0xd28 +[ 176.307775] neigh_resolve_output+0xf4/0x1a0 +[ 176.308018] ip_finish_output2+0x1c8/0x628 +[ 176.308137] ip_do_fragment+0x5b4/0x658 +[ 176.308279] ip_fragment.constprop.0+0x48/0xec +[ 176.308420] __ip_finish_output+0xa4/0x254 +[ 176.308593] ip_finish_output+0x34/0x130 +[ 176.308814] ip_output+0x6c/0x108 +[ 176.308929] ip_send_skb+0x50/0xf0 +[ 176.309095] ip_push_pending_frames+0x30/0x54 +[ 176.309254] raw_sendmsg+0x758/0xaec +[ 176.309568] inet_sendmsg+0x44/0x70 +[ 176.309667] __sys_sendto+0x110/0x178 +[ 176.309758] __arm64_sys_sendto+0x28/0x38 +[ 176.309918] invoke_syscall+0x48/0x110 +[ 176.310211] el0_svc_common.constprop.0+0x40/0xe0 +[ 176.310353] do_el0_svc+0x1c/0x28 +[ 176.310434] el0_svc+0x34/0xb4 +[ 176.310551] el0t_64_sync_handler+0x120/0x12c +[ 176.310690] el0t_64_sync+0x190/0x194 +[ 176.311066] Code: f9402e61 79402aa2 927ff821 f9400023 (f9408860) +[ 176.315743] ---[ end trace 0000000000000000 ]--- +[ 176.316060] Kernel panic - not syncing: Oops: Fatal exception in +interrupt +[ 176.316371] Kernel Offset: 0x37e0e3000000 from 0xffff800080000000 +[ 176.316564] PHYS_OFFSET: 0xffff97d780000000 +[ 176.316782] CPU features: 0x0,88000203,3c020000,0100421b +[ 176.317210] Memory Limit: none +[ 176.317527] ---[ end Kernel panic - not syncing: Oops: Fatal +Exception in interrupt ]---\ + +Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths") +Reviewed-by: Ido Schimmel +Signed-off-by: Andy Roulin +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20241001154400.22787-2-aroulin@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 68d5538613032..a1cfa75bbadb9 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -871,6 +872,10 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff + return br_dev_queue_push_xmit(net, sk, skb); + } + ++ /* Fragmentation on metadata/template dst is not supported */ ++ if (unlikely(!skb_valid_dst(skb))) ++ goto drop; ++ + /* This is wrong! We should preserve the original fragment + * boundaries by preserving frag_list rather than refragmenting. + */ +-- +2.43.0 + diff --git a/queue-6.6/netfilter-fib-check-correct-rtable-in-vrf-setups.patch b/queue-6.6/netfilter-fib-check-correct-rtable-in-vrf-setups.patch new file mode 100644 index 00000000000..d51e150c38d --- /dev/null +++ b/queue-6.6/netfilter-fib-check-correct-rtable-in-vrf-setups.patch @@ -0,0 +1,80 @@ +From d7d55ebc6c1a25f88263a24fc57ef72b21d8da11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 09:19:02 +0200 +Subject: netfilter: fib: check correct rtable in vrf setups + +From: Florian Westphal + +[ Upstream commit 05ef7055debc804e8083737402127975e7244fc4 ] + +We need to init l3mdev unconditionally, else main routing table is searched +and incorrect result is returned unless strict (iif keyword) matching is +requested. + +Next patch adds a selftest for this. + +Fixes: 2a8a7c0eaa87 ("netfilter: nft_fib: Fix for rpath check with VRF devices") +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1761 +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/nft_fib_ipv4.c | 4 +--- + net/ipv6/netfilter/nft_fib_ipv6.c | 5 +++-- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c +index 9eee535c64dd4..ba233fdd81886 100644 +--- a/net/ipv4/netfilter/nft_fib_ipv4.c ++++ b/net/ipv4/netfilter/nft_fib_ipv4.c +@@ -66,6 +66,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, + .flowi4_scope = RT_SCOPE_UNIVERSE, + .flowi4_iif = LOOPBACK_IFINDEX, + .flowi4_uid = sock_net_uid(nft_net(pkt), NULL), ++ .flowi4_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)), + }; + const struct net_device *oif; + const struct net_device *found; +@@ -84,9 +85,6 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, + else + oif = NULL; + +- if (priv->flags & NFTA_FIB_F_IIF) +- fl4.flowi4_l3mdev = l3mdev_master_ifindex_rcu(oif); +- + if (nft_hook(pkt) == NF_INET_PRE_ROUTING && + nft_fib_is_loopback(pkt->skb, nft_in(pkt))) { + nft_fib_store_result(dest, priv, nft_in(pkt)); +diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c +index 36dc14b34388c..c9f1634b3838a 100644 +--- a/net/ipv6/netfilter/nft_fib_ipv6.c ++++ b/net/ipv6/netfilter/nft_fib_ipv6.c +@@ -41,8 +41,6 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv, + if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) { + lookup_flags |= RT6_LOOKUP_F_IFACE; + fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev); +- } else if (priv->flags & NFTA_FIB_F_IIF) { +- fl6->flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev); + } + + if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST) +@@ -75,6 +73,8 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv, + else if (priv->flags & NFTA_FIB_F_OIF) + dev = nft_out(pkt); + ++ fl6.flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev); ++ + nft_fib6_flowi_init(&fl6, priv, pkt, dev, iph); + + if (dev && nf_ipv6_chk_addr(nft_net(pkt), &fl6.daddr, dev, true)) +@@ -165,6 +165,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + .flowi6_iif = LOOPBACK_IFINDEX, + .flowi6_proto = pkt->tprot, + .flowi6_uid = sock_net_uid(nft_net(pkt), NULL), ++ .flowi6_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)), + }; + struct rt6_info *rt; + int lookup_flags; +-- +2.43.0 + diff --git a/queue-6.6/netfilter-xtables-avoid-nfproto_unspec-where-needed.patch b/queue-6.6/netfilter-xtables-avoid-nfproto_unspec-where-needed.patch new file mode 100644 index 00000000000..107cf6c49f2 --- /dev/null +++ b/queue-6.6/netfilter-xtables-avoid-nfproto_unspec-where-needed.patch @@ -0,0 +1,996 @@ +From 8b72ad29d68f06b9e0fba1c21b5d2f084d3a30fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 11:28:16 +0200 +Subject: netfilter: xtables: avoid NFPROTO_UNSPEC where needed + +From: Florian Westphal + +[ Upstream commit 0bfcb7b71e735560077a42847f69597ec7dcc326 ] + +syzbot managed to call xt_cluster match via ebtables: + + WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780 + [..] + ebt_do_table+0x174b/0x2a40 + +Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet +processing. As this is only useful to restrict locally terminating +TCP/UDP traffic, register this for ipv4 and ipv6 family only. + +Pablo points out that this is a general issue, direct users of the +set/getsockopt interface can call into targets/matches that were only +intended for use with ip(6)tables. + +Check all UNSPEC matches and targets for similar issues: + +- matches and targets are fine except if they assume skb_network_header() + is valid -- this is only true when called from inet layer: ip(6) stack + pulls the ip/ipv6 header into linear data area. +- targets that return XT_CONTINUE or other xtables verdicts must be + restricted too, they are incompatbile with the ebtables traverser, e.g. + EBT_CONTINUE is a completely different value than XT_CONTINUE. + +Most matches/targets are changed to register for NFPROTO_IPV4/IPV6, as +they are provided for use by ip(6)tables. + +The MARK target is also used by arptables, so register for NFPROTO_ARP too. + +While at it, bail out if connbytes fails to enable the corresponding +conntrack family. + +This change passes the selftests in iptables.git. + +Reported-by: syzbot+256c348558aa5cf611a9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netfilter-devel/66fec2e2.050a0220.9ec68.0047.GAE@google.com/ +Fixes: 0269ea493734 ("netfilter: xtables: add cluster match") +Signed-off-by: Florian Westphal +Co-developed-by: Pablo Neira Ayuso +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_CHECKSUM.c | 33 ++++++---- + net/netfilter/xt_CLASSIFY.c | 16 ++++- + net/netfilter/xt_CONNSECMARK.c | 36 +++++++---- + net/netfilter/xt_CT.c | 106 +++++++++++++++++++++------------ + net/netfilter/xt_IDLETIMER.c | 59 ++++++++++++------ + net/netfilter/xt_LED.c | 39 ++++++++---- + net/netfilter/xt_NFLOG.c | 36 +++++++---- + net/netfilter/xt_RATEEST.c | 39 ++++++++---- + net/netfilter/xt_SECMARK.c | 27 ++++++++- + net/netfilter/xt_TRACE.c | 35 +++++++---- + net/netfilter/xt_addrtype.c | 15 ++++- + net/netfilter/xt_cluster.c | 33 ++++++---- + net/netfilter/xt_connbytes.c | 4 +- + net/netfilter/xt_connlimit.c | 39 ++++++++---- + net/netfilter/xt_connmark.c | 28 ++++++++- + net/netfilter/xt_mark.c | 42 +++++++++---- + 16 files changed, 422 insertions(+), 165 deletions(-) + +diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c +index c8a639f561684..9d99f5a3d1764 100644 +--- a/net/netfilter/xt_CHECKSUM.c ++++ b/net/netfilter/xt_CHECKSUM.c +@@ -63,24 +63,37 @@ static int checksum_tg_check(const struct xt_tgchk_param *par) + return 0; + } + +-static struct xt_target checksum_tg_reg __read_mostly = { +- .name = "CHECKSUM", +- .family = NFPROTO_UNSPEC, +- .target = checksum_tg, +- .targetsize = sizeof(struct xt_CHECKSUM_info), +- .table = "mangle", +- .checkentry = checksum_tg_check, +- .me = THIS_MODULE, ++static struct xt_target checksum_tg_reg[] __read_mostly = { ++ { ++ .name = "CHECKSUM", ++ .family = NFPROTO_IPV4, ++ .target = checksum_tg, ++ .targetsize = sizeof(struct xt_CHECKSUM_info), ++ .table = "mangle", ++ .checkentry = checksum_tg_check, ++ .me = THIS_MODULE, ++ }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "CHECKSUM", ++ .family = NFPROTO_IPV6, ++ .target = checksum_tg, ++ .targetsize = sizeof(struct xt_CHECKSUM_info), ++ .table = "mangle", ++ .checkentry = checksum_tg_check, ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static int __init checksum_tg_init(void) + { +- return xt_register_target(&checksum_tg_reg); ++ return xt_register_targets(checksum_tg_reg, ARRAY_SIZE(checksum_tg_reg)); + } + + static void __exit checksum_tg_exit(void) + { +- xt_unregister_target(&checksum_tg_reg); ++ xt_unregister_targets(checksum_tg_reg, ARRAY_SIZE(checksum_tg_reg)); + } + + module_init(checksum_tg_init); +diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c +index 0accac98dea78..0ae8d8a1216e1 100644 +--- a/net/netfilter/xt_CLASSIFY.c ++++ b/net/netfilter/xt_CLASSIFY.c +@@ -38,9 +38,9 @@ static struct xt_target classify_tg_reg[] __read_mostly = { + { + .name = "CLASSIFY", + .revision = 0, +- .family = NFPROTO_UNSPEC, ++ .family = NFPROTO_IPV4, + .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) | +- (1 << NF_INET_POST_ROUTING), ++ (1 << NF_INET_POST_ROUTING), + .target = classify_tg, + .targetsize = sizeof(struct xt_classify_target_info), + .me = THIS_MODULE, +@@ -54,6 +54,18 @@ static struct xt_target classify_tg_reg[] __read_mostly = { + .targetsize = sizeof(struct xt_classify_target_info), + .me = THIS_MODULE, + }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "CLASSIFY", ++ .revision = 0, ++ .family = NFPROTO_IPV6, ++ .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) | ++ (1 << NF_INET_POST_ROUTING), ++ .target = classify_tg, ++ .targetsize = sizeof(struct xt_classify_target_info), ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static int __init classify_tg_init(void) +diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c +index 76acecf3e757a..1494b3ee30e11 100644 +--- a/net/netfilter/xt_CONNSECMARK.c ++++ b/net/netfilter/xt_CONNSECMARK.c +@@ -114,25 +114,39 @@ static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par) + nf_ct_netns_put(par->net, par->family); + } + +-static struct xt_target connsecmark_tg_reg __read_mostly = { +- .name = "CONNSECMARK", +- .revision = 0, +- .family = NFPROTO_UNSPEC, +- .checkentry = connsecmark_tg_check, +- .destroy = connsecmark_tg_destroy, +- .target = connsecmark_tg, +- .targetsize = sizeof(struct xt_connsecmark_target_info), +- .me = THIS_MODULE, ++static struct xt_target connsecmark_tg_reg[] __read_mostly = { ++ { ++ .name = "CONNSECMARK", ++ .revision = 0, ++ .family = NFPROTO_IPV4, ++ .checkentry = connsecmark_tg_check, ++ .destroy = connsecmark_tg_destroy, ++ .target = connsecmark_tg, ++ .targetsize = sizeof(struct xt_connsecmark_target_info), ++ .me = THIS_MODULE, ++ }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "CONNSECMARK", ++ .revision = 0, ++ .family = NFPROTO_IPV6, ++ .checkentry = connsecmark_tg_check, ++ .destroy = connsecmark_tg_destroy, ++ .target = connsecmark_tg, ++ .targetsize = sizeof(struct xt_connsecmark_target_info), ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static int __init connsecmark_tg_init(void) + { +- return xt_register_target(&connsecmark_tg_reg); ++ return xt_register_targets(connsecmark_tg_reg, ARRAY_SIZE(connsecmark_tg_reg)); + } + + static void __exit connsecmark_tg_exit(void) + { +- xt_unregister_target(&connsecmark_tg_reg); ++ xt_unregister_targets(connsecmark_tg_reg, ARRAY_SIZE(connsecmark_tg_reg)); + } + + module_init(connsecmark_tg_init); +diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c +index 2be2f7a7b60f4..3ba94c34297cf 100644 +--- a/net/netfilter/xt_CT.c ++++ b/net/netfilter/xt_CT.c +@@ -313,10 +313,30 @@ static void xt_ct_tg_destroy_v1(const struct xt_tgdtor_param *par) + xt_ct_tg_destroy(par, par->targinfo); + } + ++static unsigned int ++notrack_tg(struct sk_buff *skb, const struct xt_action_param *par) ++{ ++ /* Previously seen (loopback)? Ignore. */ ++ if (skb->_nfct != 0) ++ return XT_CONTINUE; ++ ++ nf_ct_set(skb, NULL, IP_CT_UNTRACKED); ++ ++ return XT_CONTINUE; ++} ++ + static struct xt_target xt_ct_tg_reg[] __read_mostly = { ++ { ++ .name = "NOTRACK", ++ .revision = 0, ++ .family = NFPROTO_IPV4, ++ .target = notrack_tg, ++ .table = "raw", ++ .me = THIS_MODULE, ++ }, + { + .name = "CT", +- .family = NFPROTO_UNSPEC, ++ .family = NFPROTO_IPV4, + .targetsize = sizeof(struct xt_ct_target_info), + .usersize = offsetof(struct xt_ct_target_info, ct), + .checkentry = xt_ct_tg_check_v0, +@@ -327,7 +347,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = { + }, + { + .name = "CT", +- .family = NFPROTO_UNSPEC, ++ .family = NFPROTO_IPV4, + .revision = 1, + .targetsize = sizeof(struct xt_ct_target_info_v1), + .usersize = offsetof(struct xt_ct_target_info, ct), +@@ -339,7 +359,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = { + }, + { + .name = "CT", +- .family = NFPROTO_UNSPEC, ++ .family = NFPROTO_IPV4, + .revision = 2, + .targetsize = sizeof(struct xt_ct_target_info_v1), + .usersize = offsetof(struct xt_ct_target_info, ct), +@@ -349,49 +369,61 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = { + .table = "raw", + .me = THIS_MODULE, + }, +-}; +- +-static unsigned int +-notrack_tg(struct sk_buff *skb, const struct xt_action_param *par) +-{ +- /* Previously seen (loopback)? Ignore. */ +- if (skb->_nfct != 0) +- return XT_CONTINUE; +- +- nf_ct_set(skb, NULL, IP_CT_UNTRACKED); +- +- return XT_CONTINUE; +-} +- +-static struct xt_target notrack_tg_reg __read_mostly = { +- .name = "NOTRACK", +- .revision = 0, +- .family = NFPROTO_UNSPEC, +- .target = notrack_tg, +- .table = "raw", +- .me = THIS_MODULE, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "NOTRACK", ++ .revision = 0, ++ .family = NFPROTO_IPV6, ++ .target = notrack_tg, ++ .table = "raw", ++ .me = THIS_MODULE, ++ }, ++ { ++ .name = "CT", ++ .family = NFPROTO_IPV6, ++ .targetsize = sizeof(struct xt_ct_target_info), ++ .usersize = offsetof(struct xt_ct_target_info, ct), ++ .checkentry = xt_ct_tg_check_v0, ++ .destroy = xt_ct_tg_destroy_v0, ++ .target = xt_ct_target_v0, ++ .table = "raw", ++ .me = THIS_MODULE, ++ }, ++ { ++ .name = "CT", ++ .family = NFPROTO_IPV6, ++ .revision = 1, ++ .targetsize = sizeof(struct xt_ct_target_info_v1), ++ .usersize = offsetof(struct xt_ct_target_info, ct), ++ .checkentry = xt_ct_tg_check_v1, ++ .destroy = xt_ct_tg_destroy_v1, ++ .target = xt_ct_target_v1, ++ .table = "raw", ++ .me = THIS_MODULE, ++ }, ++ { ++ .name = "CT", ++ .family = NFPROTO_IPV6, ++ .revision = 2, ++ .targetsize = sizeof(struct xt_ct_target_info_v1), ++ .usersize = offsetof(struct xt_ct_target_info, ct), ++ .checkentry = xt_ct_tg_check_v2, ++ .destroy = xt_ct_tg_destroy_v1, ++ .target = xt_ct_target_v1, ++ .table = "raw", ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static int __init xt_ct_tg_init(void) + { +- int ret; +- +- ret = xt_register_target(¬rack_tg_reg); +- if (ret < 0) +- return ret; +- +- ret = xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); +- if (ret < 0) { +- xt_unregister_target(¬rack_tg_reg); +- return ret; +- } +- return 0; ++ return xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); + } + + static void __exit xt_ct_tg_exit(void) + { + xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); +- xt_unregister_target(¬rack_tg_reg); + } + + module_init(xt_ct_tg_init); +diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c +index db720efa811d5..f8b25b6f5da73 100644 +--- a/net/netfilter/xt_IDLETIMER.c ++++ b/net/netfilter/xt_IDLETIMER.c +@@ -458,28 +458,49 @@ static void idletimer_tg_destroy_v1(const struct xt_tgdtor_param *par) + + static struct xt_target idletimer_tg[] __read_mostly = { + { +- .name = "IDLETIMER", +- .family = NFPROTO_UNSPEC, +- .target = idletimer_tg_target, +- .targetsize = sizeof(struct idletimer_tg_info), +- .usersize = offsetof(struct idletimer_tg_info, timer), +- .checkentry = idletimer_tg_checkentry, +- .destroy = idletimer_tg_destroy, +- .me = THIS_MODULE, ++ .name = "IDLETIMER", ++ .family = NFPROTO_IPV4, ++ .target = idletimer_tg_target, ++ .targetsize = sizeof(struct idletimer_tg_info), ++ .usersize = offsetof(struct idletimer_tg_info, timer), ++ .checkentry = idletimer_tg_checkentry, ++ .destroy = idletimer_tg_destroy, ++ .me = THIS_MODULE, + }, + { +- .name = "IDLETIMER", +- .family = NFPROTO_UNSPEC, +- .revision = 1, +- .target = idletimer_tg_target_v1, +- .targetsize = sizeof(struct idletimer_tg_info_v1), +- .usersize = offsetof(struct idletimer_tg_info_v1, timer), +- .checkentry = idletimer_tg_checkentry_v1, +- .destroy = idletimer_tg_destroy_v1, +- .me = THIS_MODULE, ++ .name = "IDLETIMER", ++ .family = NFPROTO_IPV4, ++ .revision = 1, ++ .target = idletimer_tg_target_v1, ++ .targetsize = sizeof(struct idletimer_tg_info_v1), ++ .usersize = offsetof(struct idletimer_tg_info_v1, timer), ++ .checkentry = idletimer_tg_checkentry_v1, ++ .destroy = idletimer_tg_destroy_v1, ++ .me = THIS_MODULE, + }, +- +- ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "IDLETIMER", ++ .family = NFPROTO_IPV6, ++ .target = idletimer_tg_target, ++ .targetsize = sizeof(struct idletimer_tg_info), ++ .usersize = offsetof(struct idletimer_tg_info, timer), ++ .checkentry = idletimer_tg_checkentry, ++ .destroy = idletimer_tg_destroy, ++ .me = THIS_MODULE, ++ }, ++ { ++ .name = "IDLETIMER", ++ .family = NFPROTO_IPV6, ++ .revision = 1, ++ .target = idletimer_tg_target_v1, ++ .targetsize = sizeof(struct idletimer_tg_info_v1), ++ .usersize = offsetof(struct idletimer_tg_info_v1, timer), ++ .checkentry = idletimer_tg_checkentry_v1, ++ .destroy = idletimer_tg_destroy_v1, ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static struct class *idletimer_tg_class; +diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c +index 36c9720ad8d6d..f7b0286d106ac 100644 +--- a/net/netfilter/xt_LED.c ++++ b/net/netfilter/xt_LED.c +@@ -175,26 +175,41 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par) + kfree(ledinternal); + } + +-static struct xt_target led_tg_reg __read_mostly = { +- .name = "LED", +- .revision = 0, +- .family = NFPROTO_UNSPEC, +- .target = led_tg, +- .targetsize = sizeof(struct xt_led_info), +- .usersize = offsetof(struct xt_led_info, internal_data), +- .checkentry = led_tg_check, +- .destroy = led_tg_destroy, +- .me = THIS_MODULE, ++static struct xt_target led_tg_reg[] __read_mostly = { ++ { ++ .name = "LED", ++ .revision = 0, ++ .family = NFPROTO_IPV4, ++ .target = led_tg, ++ .targetsize = sizeof(struct xt_led_info), ++ .usersize = offsetof(struct xt_led_info, internal_data), ++ .checkentry = led_tg_check, ++ .destroy = led_tg_destroy, ++ .me = THIS_MODULE, ++ }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "LED", ++ .revision = 0, ++ .family = NFPROTO_IPV6, ++ .target = led_tg, ++ .targetsize = sizeof(struct xt_led_info), ++ .usersize = offsetof(struct xt_led_info, internal_data), ++ .checkentry = led_tg_check, ++ .destroy = led_tg_destroy, ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static int __init led_tg_init(void) + { +- return xt_register_target(&led_tg_reg); ++ return xt_register_targets(led_tg_reg, ARRAY_SIZE(led_tg_reg)); + } + + static void __exit led_tg_exit(void) + { +- xt_unregister_target(&led_tg_reg); ++ xt_unregister_targets(led_tg_reg, ARRAY_SIZE(led_tg_reg)); + } + + module_init(led_tg_init); +diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c +index e660c3710a109..d80abd6ccaf8f 100644 +--- a/net/netfilter/xt_NFLOG.c ++++ b/net/netfilter/xt_NFLOG.c +@@ -64,25 +64,39 @@ static void nflog_tg_destroy(const struct xt_tgdtor_param *par) + nf_logger_put(par->family, NF_LOG_TYPE_ULOG); + } + +-static struct xt_target nflog_tg_reg __read_mostly = { +- .name = "NFLOG", +- .revision = 0, +- .family = NFPROTO_UNSPEC, +- .checkentry = nflog_tg_check, +- .destroy = nflog_tg_destroy, +- .target = nflog_tg, +- .targetsize = sizeof(struct xt_nflog_info), +- .me = THIS_MODULE, ++static struct xt_target nflog_tg_reg[] __read_mostly = { ++ { ++ .name = "NFLOG", ++ .revision = 0, ++ .family = NFPROTO_IPV4, ++ .checkentry = nflog_tg_check, ++ .destroy = nflog_tg_destroy, ++ .target = nflog_tg, ++ .targetsize = sizeof(struct xt_nflog_info), ++ .me = THIS_MODULE, ++ }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "NFLOG", ++ .revision = 0, ++ .family = NFPROTO_IPV4, ++ .checkentry = nflog_tg_check, ++ .destroy = nflog_tg_destroy, ++ .target = nflog_tg, ++ .targetsize = sizeof(struct xt_nflog_info), ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static int __init nflog_tg_init(void) + { +- return xt_register_target(&nflog_tg_reg); ++ return xt_register_targets(nflog_tg_reg, ARRAY_SIZE(nflog_tg_reg)); + } + + static void __exit nflog_tg_exit(void) + { +- xt_unregister_target(&nflog_tg_reg); ++ xt_unregister_targets(nflog_tg_reg, ARRAY_SIZE(nflog_tg_reg)); + } + + module_init(nflog_tg_init); +diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c +index 80f6624e23554..4f49cfc278312 100644 +--- a/net/netfilter/xt_RATEEST.c ++++ b/net/netfilter/xt_RATEEST.c +@@ -179,16 +179,31 @@ static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par) + xt_rateest_put(par->net, info->est); + } + +-static struct xt_target xt_rateest_tg_reg __read_mostly = { +- .name = "RATEEST", +- .revision = 0, +- .family = NFPROTO_UNSPEC, +- .target = xt_rateest_tg, +- .checkentry = xt_rateest_tg_checkentry, +- .destroy = xt_rateest_tg_destroy, +- .targetsize = sizeof(struct xt_rateest_target_info), +- .usersize = offsetof(struct xt_rateest_target_info, est), +- .me = THIS_MODULE, ++static struct xt_target xt_rateest_tg_reg[] __read_mostly = { ++ { ++ .name = "RATEEST", ++ .revision = 0, ++ .family = NFPROTO_IPV4, ++ .target = xt_rateest_tg, ++ .checkentry = xt_rateest_tg_checkentry, ++ .destroy = xt_rateest_tg_destroy, ++ .targetsize = sizeof(struct xt_rateest_target_info), ++ .usersize = offsetof(struct xt_rateest_target_info, est), ++ .me = THIS_MODULE, ++ }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "RATEEST", ++ .revision = 0, ++ .family = NFPROTO_IPV6, ++ .target = xt_rateest_tg, ++ .checkentry = xt_rateest_tg_checkentry, ++ .destroy = xt_rateest_tg_destroy, ++ .targetsize = sizeof(struct xt_rateest_target_info), ++ .usersize = offsetof(struct xt_rateest_target_info, est), ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static __net_init int xt_rateest_net_init(struct net *net) +@@ -214,12 +229,12 @@ static int __init xt_rateest_tg_init(void) + + if (err) + return err; +- return xt_register_target(&xt_rateest_tg_reg); ++ return xt_register_targets(xt_rateest_tg_reg, ARRAY_SIZE(xt_rateest_tg_reg)); + } + + static void __exit xt_rateest_tg_fini(void) + { +- xt_unregister_target(&xt_rateest_tg_reg); ++ xt_unregister_targets(xt_rateest_tg_reg, ARRAY_SIZE(xt_rateest_tg_reg)); + unregister_pernet_subsys(&xt_rateest_net_ops); + } + +diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c +index 498a0bf6f0444..5bc5ea505eb9e 100644 +--- a/net/netfilter/xt_SECMARK.c ++++ b/net/netfilter/xt_SECMARK.c +@@ -157,7 +157,7 @@ static struct xt_target secmark_tg_reg[] __read_mostly = { + { + .name = "SECMARK", + .revision = 0, +- .family = NFPROTO_UNSPEC, ++ .family = NFPROTO_IPV4, + .checkentry = secmark_tg_check_v0, + .destroy = secmark_tg_destroy, + .target = secmark_tg_v0, +@@ -167,7 +167,7 @@ static struct xt_target secmark_tg_reg[] __read_mostly = { + { + .name = "SECMARK", + .revision = 1, +- .family = NFPROTO_UNSPEC, ++ .family = NFPROTO_IPV4, + .checkentry = secmark_tg_check_v1, + .destroy = secmark_tg_destroy, + .target = secmark_tg_v1, +@@ -175,6 +175,29 @@ static struct xt_target secmark_tg_reg[] __read_mostly = { + .usersize = offsetof(struct xt_secmark_target_info_v1, secid), + .me = THIS_MODULE, + }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "SECMARK", ++ .revision = 0, ++ .family = NFPROTO_IPV6, ++ .checkentry = secmark_tg_check_v0, ++ .destroy = secmark_tg_destroy, ++ .target = secmark_tg_v0, ++ .targetsize = sizeof(struct xt_secmark_target_info), ++ .me = THIS_MODULE, ++ }, ++ { ++ .name = "SECMARK", ++ .revision = 1, ++ .family = NFPROTO_IPV6, ++ .checkentry = secmark_tg_check_v1, ++ .destroy = secmark_tg_destroy, ++ .target = secmark_tg_v1, ++ .targetsize = sizeof(struct xt_secmark_target_info_v1), ++ .usersize = offsetof(struct xt_secmark_target_info_v1, secid), ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static int __init secmark_tg_init(void) +diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c +index 5582dce98cae7..f3fa4f11348cd 100644 +--- a/net/netfilter/xt_TRACE.c ++++ b/net/netfilter/xt_TRACE.c +@@ -29,25 +29,38 @@ trace_tg(struct sk_buff *skb, const struct xt_action_param *par) + return XT_CONTINUE; + } + +-static struct xt_target trace_tg_reg __read_mostly = { +- .name = "TRACE", +- .revision = 0, +- .family = NFPROTO_UNSPEC, +- .table = "raw", +- .target = trace_tg, +- .checkentry = trace_tg_check, +- .destroy = trace_tg_destroy, +- .me = THIS_MODULE, ++static struct xt_target trace_tg_reg[] __read_mostly = { ++ { ++ .name = "TRACE", ++ .revision = 0, ++ .family = NFPROTO_IPV4, ++ .table = "raw", ++ .target = trace_tg, ++ .checkentry = trace_tg_check, ++ .destroy = trace_tg_destroy, ++ .me = THIS_MODULE, ++ }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "TRACE", ++ .revision = 0, ++ .family = NFPROTO_IPV6, ++ .table = "raw", ++ .target = trace_tg, ++ .checkentry = trace_tg_check, ++ .destroy = trace_tg_destroy, ++ }, ++#endif + }; + + static int __init trace_tg_init(void) + { +- return xt_register_target(&trace_tg_reg); ++ return xt_register_targets(trace_tg_reg, ARRAY_SIZE(trace_tg_reg)); + } + + static void __exit trace_tg_exit(void) + { +- xt_unregister_target(&trace_tg_reg); ++ xt_unregister_targets(trace_tg_reg, ARRAY_SIZE(trace_tg_reg)); + } + + module_init(trace_tg_init); +diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c +index e9b2181e8c425..a770889431071 100644 +--- a/net/netfilter/xt_addrtype.c ++++ b/net/netfilter/xt_addrtype.c +@@ -208,13 +208,24 @@ static struct xt_match addrtype_mt_reg[] __read_mostly = { + }, + { + .name = "addrtype", +- .family = NFPROTO_UNSPEC, ++ .family = NFPROTO_IPV4, + .revision = 1, + .match = addrtype_mt_v1, + .checkentry = addrtype_mt_checkentry_v1, + .matchsize = sizeof(struct xt_addrtype_info_v1), + .me = THIS_MODULE +- } ++ }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "addrtype", ++ .family = NFPROTO_IPV6, ++ .revision = 1, ++ .match = addrtype_mt_v1, ++ .checkentry = addrtype_mt_checkentry_v1, ++ .matchsize = sizeof(struct xt_addrtype_info_v1), ++ .me = THIS_MODULE ++ }, ++#endif + }; + + static int __init addrtype_mt_init(void) +diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c +index a047a545371e1..908fd5f2c3c84 100644 +--- a/net/netfilter/xt_cluster.c ++++ b/net/netfilter/xt_cluster.c +@@ -146,24 +146,37 @@ static void xt_cluster_mt_destroy(const struct xt_mtdtor_param *par) + nf_ct_netns_put(par->net, par->family); + } + +-static struct xt_match xt_cluster_match __read_mostly = { +- .name = "cluster", +- .family = NFPROTO_UNSPEC, +- .match = xt_cluster_mt, +- .checkentry = xt_cluster_mt_checkentry, +- .matchsize = sizeof(struct xt_cluster_match_info), +- .destroy = xt_cluster_mt_destroy, +- .me = THIS_MODULE, ++static struct xt_match xt_cluster_match[] __read_mostly = { ++ { ++ .name = "cluster", ++ .family = NFPROTO_IPV4, ++ .match = xt_cluster_mt, ++ .checkentry = xt_cluster_mt_checkentry, ++ .matchsize = sizeof(struct xt_cluster_match_info), ++ .destroy = xt_cluster_mt_destroy, ++ .me = THIS_MODULE, ++ }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "cluster", ++ .family = NFPROTO_IPV6, ++ .match = xt_cluster_mt, ++ .checkentry = xt_cluster_mt_checkentry, ++ .matchsize = sizeof(struct xt_cluster_match_info), ++ .destroy = xt_cluster_mt_destroy, ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static int __init xt_cluster_mt_init(void) + { +- return xt_register_match(&xt_cluster_match); ++ return xt_register_matches(xt_cluster_match, ARRAY_SIZE(xt_cluster_match)); + } + + static void __exit xt_cluster_mt_fini(void) + { +- xt_unregister_match(&xt_cluster_match); ++ xt_unregister_matches(xt_cluster_match, ARRAY_SIZE(xt_cluster_match)); + } + + MODULE_AUTHOR("Pablo Neira Ayuso "); +diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c +index 93cb018c3055f..2aabdcea87072 100644 +--- a/net/netfilter/xt_connbytes.c ++++ b/net/netfilter/xt_connbytes.c +@@ -111,9 +111,11 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par) + return -EINVAL; + + ret = nf_ct_netns_get(par->net, par->family); +- if (ret < 0) ++ if (ret < 0) { + pr_info_ratelimited("cannot load conntrack support for proto=%u\n", + par->family); ++ return ret; ++ } + + /* + * This filter cannot function correctly unless connection tracking +diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c +index 5d04ef80a61dc..d1d0fa6c8061e 100644 +--- a/net/netfilter/xt_connlimit.c ++++ b/net/netfilter/xt_connlimit.c +@@ -106,26 +106,41 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par) + nf_conncount_destroy(par->net, par->family, info->data); + } + +-static struct xt_match connlimit_mt_reg __read_mostly = { +- .name = "connlimit", +- .revision = 1, +- .family = NFPROTO_UNSPEC, +- .checkentry = connlimit_mt_check, +- .match = connlimit_mt, +- .matchsize = sizeof(struct xt_connlimit_info), +- .usersize = offsetof(struct xt_connlimit_info, data), +- .destroy = connlimit_mt_destroy, +- .me = THIS_MODULE, ++static struct xt_match connlimit_mt_reg[] __read_mostly = { ++ { ++ .name = "connlimit", ++ .revision = 1, ++ .family = NFPROTO_IPV4, ++ .checkentry = connlimit_mt_check, ++ .match = connlimit_mt, ++ .matchsize = sizeof(struct xt_connlimit_info), ++ .usersize = offsetof(struct xt_connlimit_info, data), ++ .destroy = connlimit_mt_destroy, ++ .me = THIS_MODULE, ++ }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "connlimit", ++ .revision = 1, ++ .family = NFPROTO_IPV6, ++ .checkentry = connlimit_mt_check, ++ .match = connlimit_mt, ++ .matchsize = sizeof(struct xt_connlimit_info), ++ .usersize = offsetof(struct xt_connlimit_info, data), ++ .destroy = connlimit_mt_destroy, ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static int __init connlimit_mt_init(void) + { +- return xt_register_match(&connlimit_mt_reg); ++ return xt_register_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg)); + } + + static void __exit connlimit_mt_exit(void) + { +- xt_unregister_match(&connlimit_mt_reg); ++ xt_unregister_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg)); + } + + module_init(connlimit_mt_init); +diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c +index ad3c033db64e7..4277084de2e70 100644 +--- a/net/netfilter/xt_connmark.c ++++ b/net/netfilter/xt_connmark.c +@@ -151,7 +151,7 @@ static struct xt_target connmark_tg_reg[] __read_mostly = { + { + .name = "CONNMARK", + .revision = 1, +- .family = NFPROTO_UNSPEC, ++ .family = NFPROTO_IPV4, + .checkentry = connmark_tg_check, + .target = connmark_tg, + .targetsize = sizeof(struct xt_connmark_tginfo1), +@@ -161,13 +161,35 @@ static struct xt_target connmark_tg_reg[] __read_mostly = { + { + .name = "CONNMARK", + .revision = 2, +- .family = NFPROTO_UNSPEC, ++ .family = NFPROTO_IPV4, + .checkentry = connmark_tg_check, + .target = connmark_tg_v2, + .targetsize = sizeof(struct xt_connmark_tginfo2), + .destroy = connmark_tg_destroy, + .me = THIS_MODULE, +- } ++ }, ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "CONNMARK", ++ .revision = 1, ++ .family = NFPROTO_IPV6, ++ .checkentry = connmark_tg_check, ++ .target = connmark_tg, ++ .targetsize = sizeof(struct xt_connmark_tginfo1), ++ .destroy = connmark_tg_destroy, ++ .me = THIS_MODULE, ++ }, ++ { ++ .name = "CONNMARK", ++ .revision = 2, ++ .family = NFPROTO_IPV6, ++ .checkentry = connmark_tg_check, ++ .target = connmark_tg_v2, ++ .targetsize = sizeof(struct xt_connmark_tginfo2), ++ .destroy = connmark_tg_destroy, ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static struct xt_match connmark_mt_reg __read_mostly = { +diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c +index 1ad74b5920b53..f76fe04fc9a4e 100644 +--- a/net/netfilter/xt_mark.c ++++ b/net/netfilter/xt_mark.c +@@ -39,13 +39,35 @@ mark_mt(const struct sk_buff *skb, struct xt_action_param *par) + return ((skb->mark & info->mask) == info->mark) ^ info->invert; + } + +-static struct xt_target mark_tg_reg __read_mostly = { +- .name = "MARK", +- .revision = 2, +- .family = NFPROTO_UNSPEC, +- .target = mark_tg, +- .targetsize = sizeof(struct xt_mark_tginfo2), +- .me = THIS_MODULE, ++static struct xt_target mark_tg_reg[] __read_mostly = { ++ { ++ .name = "MARK", ++ .revision = 2, ++ .family = NFPROTO_IPV4, ++ .target = mark_tg, ++ .targetsize = sizeof(struct xt_mark_tginfo2), ++ .me = THIS_MODULE, ++ }, ++#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES) ++ { ++ .name = "MARK", ++ .revision = 2, ++ .family = NFPROTO_ARP, ++ .target = mark_tg, ++ .targetsize = sizeof(struct xt_mark_tginfo2), ++ .me = THIS_MODULE, ++ }, ++#endif ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ++ { ++ .name = "MARK", ++ .revision = 2, ++ .family = NFPROTO_IPV4, ++ .target = mark_tg, ++ .targetsize = sizeof(struct xt_mark_tginfo2), ++ .me = THIS_MODULE, ++ }, ++#endif + }; + + static struct xt_match mark_mt_reg __read_mostly = { +@@ -61,12 +83,12 @@ static int __init mark_mt_init(void) + { + int ret; + +- ret = xt_register_target(&mark_tg_reg); ++ ret = xt_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg)); + if (ret < 0) + return ret; + ret = xt_register_match(&mark_mt_reg); + if (ret < 0) { +- xt_unregister_target(&mark_tg_reg); ++ xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg)); + return ret; + } + return 0; +@@ -75,7 +97,7 @@ static int __init mark_mt_init(void) + static void __exit mark_mt_exit(void) + { + xt_unregister_match(&mark_mt_reg); +- xt_unregister_target(&mark_tg_reg); ++ xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg)); + } + + module_init(mark_mt_init); +-- +2.43.0 + diff --git a/queue-6.6/nfsd-mark-filecache-down-if-init-fails.patch b/queue-6.6/nfsd-mark-filecache-down-if-init-fails.patch new file mode 100644 index 00000000000..af6b2bfb4e6 --- /dev/null +++ b/queue-6.6/nfsd-mark-filecache-down-if-init-fails.patch @@ -0,0 +1,48 @@ +From 414b2d74974d4da34bbb67ae29af33e188f99847 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Sep 2024 14:25:37 -0400 +Subject: NFSD: Mark filecache "down" if init fails + +From: Chuck Lever + +[ Upstream commit dc0d0f885aa422f621bc1c2124133eff566b0bc8 ] + +NeilBrown says: +> The handling of NFSD_FILE_CACHE_UP is strange. nfsd_file_cache_init() +> sets it, but doesn't clear it on failure. So if nfsd_file_cache_init() +> fails for some reason, nfsd_file_cache_shutdown() would still try to +> clean up if it was called. + +Reported-by: NeilBrown +Fixes: c7b824c3d06c ("NFSD: Replace the "init once" mechanism") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/filecache.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c +index 5c9f8f8404d5b..6f2bcbfde45e6 100644 +--- a/fs/nfsd/filecache.c ++++ b/fs/nfsd/filecache.c +@@ -718,7 +718,7 @@ nfsd_file_cache_init(void) + + ret = rhltable_init(&nfsd_file_rhltable, &nfsd_file_rhash_params); + if (ret) +- return ret; ++ goto out; + + ret = -ENOMEM; + nfsd_filecache_wq = alloc_workqueue("nfsd_filecache", 0, 0); +@@ -770,6 +770,8 @@ nfsd_file_cache_init(void) + + INIT_DELAYED_WORK(&nfsd_filecache_laundrette, nfsd_file_gc_worker); + out: ++ if (ret) ++ clear_bit(NFSD_FILE_CACHE_UP, &nfsd_file_flags); + return ret; + out_notifier: + lease_unregister_notifier(&nfsd_file_lease_notifier); +-- +2.43.0 + diff --git a/queue-6.6/nfsv4-prevent-null-pointer-dereference-in-nfs42_comp.patch b/queue-6.6/nfsv4-prevent-null-pointer-dereference-in-nfs42_comp.patch new file mode 100644 index 00000000000..2f3e36a7615 --- /dev/null +++ b/queue-6.6/nfsv4-prevent-null-pointer-dereference-in-nfs42_comp.patch @@ -0,0 +1,151 @@ +From c6748259544a83c6ba46d6a511abc61947f63b89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 16:39:30 +0800 +Subject: NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies() + +From: Yanjun Zhang + +[ Upstream commit a848c29e3486189aaabd5663bc11aea50c5bd144 ] + +On the node of an NFS client, some files saved in the mountpoint of the +NFS server were copied to another location of the same NFS server. +Accidentally, the nfs42_complete_copies() got a NULL-pointer dereference +crash with the following syslog: + +[232064.838881] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116 +[232064.839360] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116 +[232066.588183] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 +[232066.588586] Mem abort info: +[232066.588701] ESR = 0x0000000096000007 +[232066.588862] EC = 0x25: DABT (current EL), IL = 32 bits +[232066.589084] SET = 0, FnV = 0 +[232066.589216] EA = 0, S1PTW = 0 +[232066.589340] FSC = 0x07: level 3 translation fault +[232066.589559] Data abort info: +[232066.589683] ISV = 0, ISS = 0x00000007 +[232066.589842] CM = 0, WnR = 0 +[232066.589967] user pgtable: 64k pages, 48-bit VAs, pgdp=00002000956ff400 +[232066.590231] [0000000000000058] pgd=08001100ae100003, p4d=08001100ae100003, pud=08001100ae100003, pmd=08001100b3c00003, pte=0000000000000000 +[232066.590757] Internal error: Oops: 96000007 [#1] SMP +[232066.590958] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm vhost_net vhost vhost_iotlb tap tun ipt_rpfilter xt_multiport ip_set_hash_ip ip_set_hash_net xfrm_interface xfrm6_tunnel tunnel4 tunnel6 esp4 ah4 wireguard libcurve25519_generic veth xt_addrtype xt_set nf_conntrack_netlink ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_bitmap_port ip_set_hash_ipport dummy ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_filter sch_ingress nfnetlink_cttimeout vport_gre ip_gre ip_tunnel gre vport_geneve geneve vport_vxlan vxlan ip6_udp_tunnel udp_tunnel openvswitch nf_conncount dm_round_robin dm_service_time dm_multipath xt_nat xt_MASQUERADE nft_chain_nat nf_nat xt_mark xt_conntrack xt_comment nft_compat nft_counter nf_tables nfnetlink ocfs2 ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_ssif nbd overlay 8021q garp mrp bonding tls rfkill sunrpc ext4 mbcache jbd2 +[232066.591052] vfat fat cas_cache cas_disk ses enclosure scsi_transport_sas sg acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler ip_tables vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio dm_mirror dm_region_hash dm_log dm_mod nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc fuse xfs libcrc32c ast drm_vram_helper qla2xxx drm_kms_helper syscopyarea crct10dif_ce sysfillrect ghash_ce sysimgblt sha2_ce fb_sys_fops cec sha256_arm64 sha1_ce drm_ttm_helper ttm nvme_fc igb sbsa_gwdt nvme_fabrics drm nvme_core i2c_algo_bit i40e scsi_transport_fc megaraid_sas aes_neon_bs +[232066.596953] CPU: 6 PID: 4124696 Comm: 10.253.166.125- Kdump: loaded Not tainted 5.15.131-9.cl9_ocfs2.aarch64 #1 +[232066.597356] Hardware name: Great Wall .\x93\x8e...RF6260 V5/GWMSSE2GL1T, BIOS T656FBE_V3.0.18 2024-01-06 +[232066.597721] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[232066.598034] pc : nfs4_reclaim_open_state+0x220/0x800 [nfsv4] +[232066.598327] lr : nfs4_reclaim_open_state+0x12c/0x800 [nfsv4] +[232066.598595] sp : ffff8000f568fc70 +[232066.598731] x29: ffff8000f568fc70 x28: 0000000000001000 x27: ffff21003db33000 +[232066.599030] x26: ffff800005521ae0 x25: ffff0100f98fa3f0 x24: 0000000000000001 +[232066.599319] x23: ffff800009920008 x22: ffff21003db33040 x21: ffff21003db33050 +[232066.599628] x20: ffff410172fe9e40 x19: ffff410172fe9e00 x18: 0000000000000000 +[232066.599914] x17: 0000000000000000 x16: 0000000000000004 x15: 0000000000000000 +[232066.600195] x14: 0000000000000000 x13: ffff800008e685a8 x12: 00000000eac0c6e6 +[232066.600498] x11: 0000000000000000 x10: 0000000000000008 x9 : ffff8000054e5828 +[232066.600784] x8 : 00000000ffffffbf x7 : 0000000000000001 x6 : 000000000a9eb14a +[232066.601062] x5 : 0000000000000000 x4 : ffff70ff8a14a800 x3 : 0000000000000058 +[232066.601348] x2 : 0000000000000001 x1 : 54dce46366daa6c6 x0 : 0000000000000000 +[232066.601636] Call trace: +[232066.601749] nfs4_reclaim_open_state+0x220/0x800 [nfsv4] +[232066.601998] nfs4_do_reclaim+0x1b8/0x28c [nfsv4] +[232066.602218] nfs4_state_manager+0x928/0x10f0 [nfsv4] +[232066.602455] nfs4_run_state_manager+0x78/0x1b0 [nfsv4] +[232066.602690] kthread+0x110/0x114 +[232066.602830] ret_from_fork+0x10/0x20 +[232066.602985] Code: 1400000d f9403f20 f9402e61 91016003 (f9402c00) +[232066.603284] SMP: stopping secondary CPUs +[232066.606936] Starting crashdump kernel... +[232066.607146] Bye! + +Analysing the vmcore, we know that nfs4_copy_state listed by destination +nfs_server->ss_copies was added by the field copies in handle_async_copy(), +and we found a waiting copy process with the stack as: +PID: 3511963 TASK: ffff710028b47e00 CPU: 0 COMMAND: "cp" + #0 [ffff8001116ef740] __switch_to at ffff8000081b92f4 + #1 [ffff8001116ef760] __schedule at ffff800008dd0650 + #2 [ffff8001116ef7c0] schedule at ffff800008dd0a00 + #3 [ffff8001116ef7e0] schedule_timeout at ffff800008dd6aa0 + #4 [ffff8001116ef860] __wait_for_common at ffff800008dd166c + #5 [ffff8001116ef8e0] wait_for_completion_interruptible at ffff800008dd1898 + #6 [ffff8001116ef8f0] handle_async_copy at ffff8000055142f4 [nfsv4] + #7 [ffff8001116ef970] _nfs42_proc_copy at ffff8000055147c8 [nfsv4] + #8 [ffff8001116efa80] nfs42_proc_copy at ffff800005514cf0 [nfsv4] + #9 [ffff8001116efc50] __nfs4_copy_file_range.constprop.0 at ffff8000054ed694 [nfsv4] + +The NULL-pointer dereference was due to nfs42_complete_copies() listed +the nfs_server->ss_copies by the field ss_copies of nfs4_copy_state. +So the nfs4_copy_state address ffff0100f98fa3f0 was offset by 0x10 and +the data accessed through this pointer was also incorrect. Generally, +the ordered list nfs4_state_owner->so_states indicate open(O_RDWR) or +open(O_WRITE) states are reclaimed firstly by nfs4_reclaim_open_state(). +When destination state reclaim is failed with NFS_STATE_RECOVERY_FAILED +and copies are not deleted in nfs_server->ss_copies, the source state +may be passed to the nfs42_complete_copies() process earlier, resulting +in this crash scene finally. To solve this issue, we add a list_head +nfs_server->ss_src_copies for a server-to-server copy specially. + +Fixes: 0e65a32c8a56 ("NFS: handle source server reboot") +Signed-off-by: Yanjun Zhang +Reviewed-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/client.c | 1 + + fs/nfs/nfs42proc.c | 2 +- + fs/nfs/nfs4state.c | 2 +- + include/linux/nfs_fs_sb.h | 1 + + 4 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/client.c b/fs/nfs/client.c +index 4d9249c99989f..62607d52bfa5e 100644 +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -987,6 +987,7 @@ struct nfs_server *nfs_alloc_server(void) + INIT_LIST_HEAD(&server->layouts); + INIT_LIST_HEAD(&server->state_owners_lru); + INIT_LIST_HEAD(&server->ss_copies); ++ INIT_LIST_HEAD(&server->ss_src_copies); + + atomic_set(&server->active, 0); + +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index 28704f924612c..531c9c20ef1d1 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -218,7 +218,7 @@ static int handle_async_copy(struct nfs42_copy_res *res, + + if (dst_server != src_server) { + spin_lock(&src_server->nfs_client->cl_lock); +- list_add_tail(©->src_copies, &src_server->ss_copies); ++ list_add_tail(©->src_copies, &src_server->ss_src_copies); + spin_unlock(&src_server->nfs_client->cl_lock); + } + +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 6c4539ed2654a..794bb4aa588d3 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1597,7 +1597,7 @@ static void nfs42_complete_copies(struct nfs4_state_owner *sp, struct nfs4_state + complete(©->completion); + } + } +- list_for_each_entry(copy, &sp->so_server->ss_copies, src_copies) { ++ list_for_each_entry(copy, &sp->so_server->ss_src_copies, src_copies) { + if ((test_bit(NFS_CLNT_SRC_SSC_COPY_STATE, &state->flags) && + !nfs4_stateid_match_other(&state->stateid, + ©->parent_src_state->stateid))) +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index cd628c4b011e5..86d96e00c2e3d 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -238,6 +238,7 @@ struct nfs_server { + struct list_head layouts; + struct list_head delegations; + struct list_head ss_copies; ++ struct list_head ss_src_copies; + + unsigned long mig_gen; + unsigned long mig_status; +-- +2.43.0 + diff --git a/queue-6.6/nouveau-dmem-fix-privileged-error-in-copy-engine-cha.patch b/queue-6.6/nouveau-dmem-fix-privileged-error-in-copy-engine-cha.patch new file mode 100644 index 00000000000..347ca2c7146 --- /dev/null +++ b/queue-6.6/nouveau-dmem-fix-privileged-error-in-copy-engine-cha.patch @@ -0,0 +1,46 @@ +From ef40cb612cd840c6d03969d6b88494a917b15511 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 14:59:42 +0300 +Subject: nouveau/dmem: Fix privileged error in copy engine channel + +From: Yonatan Maman + +[ Upstream commit 04e0481526e30ab8c7e7580033d2f88b7ef2da3f ] + +When `nouveau_dmem_copy_one` is called, the following error occurs: + +[272146.675156] nouveau 0000:06:00.0: fifo: PBDMA9: 00000004 [HCE_PRIV] +ch 1 00000300 00003386 + +This indicates that a copy push command triggered a Host Copy Engine +Privileged error on channel 1 (Copy Engine channel). To address this +issue, modify the Copy Engine channel to allow privileged push commands + +Fixes: 6de125383a5c ("drm/nouveau/fifo: expose runlist topology info on all chipsets") +Signed-off-by: Yonatan Maman +Co-developed-by: Gal Shalom +Signed-off-by: Gal Shalom +Reviewed-by: Ben Skeggs +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20241008115943.990286-2-ymaman@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_drm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c +index c39284dc7d73b..ac15a662e0604 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -343,7 +343,7 @@ nouveau_accel_ce_init(struct nouveau_drm *drm) + return; + } + +- ret = nouveau_channel_new(&drm->client, false, runm, NvDmaFB, NvDmaTT, &drm->cechan); ++ ret = nouveau_channel_new(&drm->client, true, runm, NvDmaFB, NvDmaTT, &drm->cechan); + if (ret) + NV_ERROR(drm, "failed to create ce channel, %d\n", ret); + } +-- +2.43.0 + diff --git a/queue-6.6/phonet-handle-error-of-rtnl_register_module.patch b/queue-6.6/phonet-handle-error-of-rtnl_register_module.patch new file mode 100644 index 00000000000..94711f1e873 --- /dev/null +++ b/queue-6.6/phonet-handle-error-of-rtnl_register_module.patch @@ -0,0 +1,78 @@ +From 4b1bf8eeeb2d62394fb92d5ba71ddecd79bbc787 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 11:47:37 -0700 +Subject: phonet: Handle error of rtnl_register_module(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kuniyuki Iwashima + +[ Upstream commit b5e837c86041bef60f36cf9f20a641a30764379a ] + +Before commit addf9b90de22 ("net: rtnetlink: use rcu to free rtnl +message handlers"), once the first rtnl_register_module() allocated +rtnl_msg_handlers[PF_PHONET], the following calls never failed. + +However, after the commit, rtnl_register_module() could fail silently +to allocate rtnl_msg_handlers[PF_PHONET][msgtype] and requires error +handling for each call. + +Handling the error allows users to view a module as an all-or-nothing +thing in terms of the rtnetlink functionality. This prevents syzkaller +from reporting spurious errors from its tests, where OOM often occurs +and module is automatically loaded. + +Let's use rtnl_register_many() to handle the errors easily. + +Fixes: addf9b90de22 ("net: rtnetlink: use rcu to free rtnl message handlers") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Rémi Denis-Courmont +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/phonet/pn_netlink.c | 28 +++++++++++----------------- + 1 file changed, 11 insertions(+), 17 deletions(-) + +diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c +index 7008d402499d5..894e5c72d6bff 100644 +--- a/net/phonet/pn_netlink.c ++++ b/net/phonet/pn_netlink.c +@@ -285,23 +285,17 @@ static int route_dumpit(struct sk_buff *skb, struct netlink_callback *cb) + return err; + } + ++static const struct rtnl_msg_handler phonet_rtnl_msg_handlers[] __initdata_or_module = { ++ {THIS_MODULE, PF_PHONET, RTM_NEWADDR, addr_doit, NULL, 0}, ++ {THIS_MODULE, PF_PHONET, RTM_DELADDR, addr_doit, NULL, 0}, ++ {THIS_MODULE, PF_PHONET, RTM_GETADDR, NULL, getaddr_dumpit, 0}, ++ {THIS_MODULE, PF_PHONET, RTM_NEWROUTE, route_doit, NULL, 0}, ++ {THIS_MODULE, PF_PHONET, RTM_DELROUTE, route_doit, NULL, 0}, ++ {THIS_MODULE, PF_PHONET, RTM_GETROUTE, NULL, route_dumpit, ++ RTNL_FLAG_DUMP_UNLOCKED}, ++}; ++ + int __init phonet_netlink_register(void) + { +- int err = rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_NEWADDR, +- addr_doit, NULL, 0); +- if (err) +- return err; +- +- /* Further rtnl_register_module() cannot fail */ +- rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_DELADDR, +- addr_doit, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_GETADDR, +- NULL, getaddr_dumpit, 0); +- rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_NEWROUTE, +- route_doit, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_DELROUTE, +- route_doit, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_GETROUTE, +- NULL, route_dumpit, RTNL_FLAG_DUMP_UNLOCKED); +- return 0; ++ return rtnl_register_many(phonet_rtnl_msg_handlers); + } +-- +2.43.0 + diff --git a/queue-6.6/phonet-no-longer-hold-rtnl-in-route_dumpit.patch b/queue-6.6/phonet-no-longer-hold-rtnl-in-route_dumpit.patch new file mode 100644 index 00000000000..061a9548f17 --- /dev/null +++ b/queue-6.6/phonet-no-longer-hold-rtnl-in-route_dumpit.patch @@ -0,0 +1,82 @@ +From db58c961107e1a238ff1e7066fb6cc1ccac10cf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 12:17:48 +0000 +Subject: phonet: no longer hold RTNL in route_dumpit() + +From: Eric Dumazet + +[ Upstream commit 58a4ff5d77b187086eb12d41d613749420947f19 ] + +route_dumpit() already relies on RCU, RTNL is not needed. + +Also change return value at the end of a dump. +This allows NLMSG_DONE to be appended to the current +skb at the end of a dump, saving a couple of recvmsg() +system calls. + +Signed-off-by: Eric Dumazet +Cc: Remi Denis-Courmont +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240507121748.416287-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: b5e837c86041 ("phonet: Handle error of rtnl_register_module().") +Signed-off-by: Sasha Levin +--- + net/phonet/pn_netlink.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c +index dd4c7e9a634fb..7008d402499d5 100644 +--- a/net/phonet/pn_netlink.c ++++ b/net/phonet/pn_netlink.c +@@ -178,7 +178,7 @@ static int fill_route(struct sk_buff *skb, struct net_device *dev, u8 dst, + rtm->rtm_type = RTN_UNICAST; + rtm->rtm_flags = 0; + if (nla_put_u8(skb, RTA_DST, dst) || +- nla_put_u32(skb, RTA_OIF, dev->ifindex)) ++ nla_put_u32(skb, RTA_OIF, READ_ONCE(dev->ifindex))) + goto nla_put_failure; + nlmsg_end(skb, nlh); + return 0; +@@ -263,6 +263,7 @@ static int route_doit(struct sk_buff *skb, struct nlmsghdr *nlh, + static int route_dumpit(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); ++ int err = 0; + u8 addr; + + rcu_read_lock(); +@@ -272,16 +273,16 @@ static int route_dumpit(struct sk_buff *skb, struct netlink_callback *cb) + if (!dev) + continue; + +- if (fill_route(skb, dev, addr << 2, NETLINK_CB(cb->skb).portid, +- cb->nlh->nlmsg_seq, RTM_NEWROUTE) < 0) +- goto out; ++ err = fill_route(skb, dev, addr << 2, ++ NETLINK_CB(cb->skb).portid, ++ cb->nlh->nlmsg_seq, RTM_NEWROUTE); ++ if (err < 0) ++ break; + } +- +-out: + rcu_read_unlock(); + cb->args[0] = addr; + +- return skb->len; ++ return err; + } + + int __init phonet_netlink_register(void) +@@ -301,6 +302,6 @@ int __init phonet_netlink_register(void) + rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_DELROUTE, + route_doit, NULL, 0); + rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_GETROUTE, +- NULL, route_dumpit, 0); ++ NULL, route_dumpit, RTNL_FLAG_DUMP_UNLOCKED); + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/platform-x86-intel-tpmi-add-defines-to-get-version-i.patch b/queue-6.6/platform-x86-intel-tpmi-add-defines-to-get-version-i.patch new file mode 100644 index 00000000000..a91562de4a6 --- /dev/null +++ b/queue-6.6/platform-x86-intel-tpmi-add-defines-to-get-version-i.patch @@ -0,0 +1,46 @@ +From 1a8eb174588d1d6ae644bce20d1fbf0ffe59a6db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 11:49:14 -0700 +Subject: platform/x86/intel/tpmi: Add defines to get version information +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivas Pandruvada + +[ Upstream commit 8874e414fe78718d0f2861fe511cecbd1cd73f4d ] + +Add defines to get major and minor version from a TPMI version field +value. This will avoid code duplication to convert in every feature +driver. Also add define for invalid version field. + +Signed-off-by: Srinivas Pandruvada +Link: https://lore.kernel.org/r/20231003184916.1860084-2-srinivas.pandruvada@linux.intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Stable-dep-of: 1d390923974c ("powercap: intel_rapl_tpmi: Ignore minor version change") +Signed-off-by: Sasha Levin +--- + include/linux/intel_tpmi.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/include/linux/intel_tpmi.h b/include/linux/intel_tpmi.h +index 04d937ad4dc4f..ee07393445f9f 100644 +--- a/include/linux/intel_tpmi.h ++++ b/include/linux/intel_tpmi.h +@@ -6,6 +6,12 @@ + #ifndef _INTEL_TPMI_H_ + #define _INTEL_TPMI_H_ + ++#include ++ ++#define TPMI_VERSION_INVALID 0xff ++#define TPMI_MINOR_VERSION(val) FIELD_GET(GENMASK(4, 0), val) ++#define TPMI_MAJOR_VERSION(val) FIELD_GET(GENMASK(7, 5), val) ++ + /** + * struct intel_tpmi_plat_info - Platform information for a TPMI device instance + * @package_id: CPU Package id +-- +2.43.0 + diff --git a/queue-6.6/powercap-intel_rapl_tpmi-ignore-minor-version-change.patch b/queue-6.6/powercap-intel_rapl_tpmi-ignore-minor-version-change.patch new file mode 100644 index 00000000000..ff25d75c12e --- /dev/null +++ b/queue-6.6/powercap-intel_rapl_tpmi-ignore-minor-version-change.patch @@ -0,0 +1,80 @@ +From a9c6f2bbe434e08cf6bf2fd7112d9ef404e82638 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 16:17:58 +0800 +Subject: powercap: intel_rapl_tpmi: Ignore minor version change + +From: Zhang Rui + +[ Upstream commit 1d390923974cc233245649cf23833e06b15a9ef7 ] + +The hardware definition of every TPMI feature contains a major and minor +version. When there is a change in the MMIO offset or change in the +definition of a field, hardware will change major version. For addition +of new fields without modifying existing MMIO offsets or fields, only +the minor version is changed. + +If the driver has not been updated to recognize a new hardware major +version, it cannot provide the RAPL interface to users due to possible +register layout incompatibilities. However, the driver does not need to +be updated every time the hardware minor version changes because in that +case it will just miss some new functionality exposed by the hardware. + +The current implementation causes the driver to refuse to work for any +hardware version change which is unnecessarily restrictive. + +If there is a minor version mismatch, log an information message and +continue, but if there is a major version mismatch, log a warning and +exit (as before). + +Signed-off-by: Zhang Rui +Reviewed-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20240930081801.28502-4-rui.zhang@intel.com +Fixes: 9eef7f9da928 ("powercap: intel_rapl: Introduce RAPL TPMI interface driver") +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/powercap/intel_rapl_tpmi.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/powercap/intel_rapl_tpmi.c b/drivers/powercap/intel_rapl_tpmi.c +index f6b7f085977ce..0085e59856166 100644 +--- a/drivers/powercap/intel_rapl_tpmi.c ++++ b/drivers/powercap/intel_rapl_tpmi.c +@@ -15,7 +15,8 @@ + #include + #include + +-#define TPMI_RAPL_VERSION 1 ++#define TPMI_RAPL_MAJOR_VERSION 0 ++#define TPMI_RAPL_MINOR_VERSION 1 + + /* 1 header + 10 registers + 5 reserved. 8 bytes for each. */ + #define TPMI_RAPL_DOMAIN_SIZE 128 +@@ -154,11 +155,21 @@ static int parse_one_domain(struct tpmi_rapl_package *trp, u32 offset) + tpmi_domain_size = tpmi_domain_header >> 16 & 0xff; + tpmi_domain_flags = tpmi_domain_header >> 32 & 0xffff; + +- if (tpmi_domain_version != TPMI_RAPL_VERSION) { +- pr_warn(FW_BUG "Unsupported version:%d\n", tpmi_domain_version); ++ if (tpmi_domain_version == TPMI_VERSION_INVALID) { ++ pr_warn(FW_BUG "Invalid version\n"); + return -ENODEV; + } + ++ if (TPMI_MAJOR_VERSION(tpmi_domain_version) != TPMI_RAPL_MAJOR_VERSION) { ++ pr_warn(FW_BUG "Unsupported major version:%ld\n", ++ TPMI_MAJOR_VERSION(tpmi_domain_version)); ++ return -ENODEV; ++ } ++ ++ if (TPMI_MINOR_VERSION(tpmi_domain_version) > TPMI_RAPL_MINOR_VERSION) ++ pr_info("Ignore: Unsupported minor version:%ld\n", ++ TPMI_MINOR_VERSION(tpmi_domain_version)); ++ + /* Domain size: in unit of 128 Bytes */ + if (tpmi_domain_size != 1) { + pr_warn(FW_BUG "Invalid Domain size %d\n", tpmi_domain_size); +-- +2.43.0 + diff --git a/queue-6.6/ppp-fix-ppp_async_encode-illegal-access.patch b/queue-6.6/ppp-fix-ppp_async_encode-illegal-access.patch new file mode 100644 index 00000000000..96ab55bcab0 --- /dev/null +++ b/queue-6.6/ppp-fix-ppp_async_encode-illegal-access.patch @@ -0,0 +1,91 @@ +From e6e1b0c41004bc1008fa862f5439c373cd556ab5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 18:58:02 +0000 +Subject: ppp: fix ppp_async_encode() illegal access + +From: Eric Dumazet + +[ Upstream commit 40dddd4b8bd08a69471efd96107a4e1c73fabefc ] + +syzbot reported an issue in ppp_async_encode() [1] + +In this case, pppoe_sendmsg() is called with a zero size. +Then ppp_async_encode() is called with an empty skb. + +BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] + BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675 + ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] + ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675 + ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634 + ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline] + ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304 + pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 + sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 + __release_sock+0x1da/0x330 net/core/sock.c:3072 + release_sock+0x6b/0x250 net/core/sock.c:3626 + pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 + sock_sendmsg_nosec net/socket.c:729 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:744 + ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 + __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 + __do_sys_sendmmsg net/socket.c:2771 [inline] + __se_sys_sendmmsg net/socket.c:2768 [inline] + __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 + x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4092 [inline] + slab_alloc_node mm/slub.c:4135 [inline] + kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 + __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 + alloc_skb include/linux/skbuff.h:1322 [inline] + sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732 + pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 + sock_sendmsg_nosec net/socket.c:729 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:744 + ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 + __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 + __do_sys_sendmmsg net/socket.c:2771 [inline] + __se_sys_sendmmsg net/socket.c:2768 [inline] + __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 + x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+1d121645899e7692f92a@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241009185802.3763282-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_async.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c +index e94a4b08fd63b..7d9201ef925ff 100644 +--- a/drivers/net/ppp/ppp_async.c ++++ b/drivers/net/ppp/ppp_async.c +@@ -541,7 +541,7 @@ ppp_async_encode(struct asyncppp *ap) + * and 7 (code-reject) must be sent as though no options + * had been negotiated. + */ +- islcp = proto == PPP_LCP && 1 <= data[2] && data[2] <= 7; ++ islcp = proto == PPP_LCP && count >= 3 && 1 <= data[2] && data[2] <= 7; + + if (i == 0) { + if (islcp) +-- +2.43.0 + diff --git a/queue-6.6/rcu-nocb-fix-rcuog-wake-up-from-offline-softirq.patch b/queue-6.6/rcu-nocb-fix-rcuog-wake-up-from-offline-softirq.patch new file mode 100644 index 00000000000..260c81ee2b5 --- /dev/null +++ b/queue-6.6/rcu-nocb-fix-rcuog-wake-up-from-offline-softirq.patch @@ -0,0 +1,81 @@ +From 44261d09fa8413d47477d4518c0ee84dacb589a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 18:36:09 +0200 +Subject: rcu/nocb: Fix rcuog wake-up from offline softirq + +From: Frederic Weisbecker + +[ Upstream commit f7345ccc62a4b880cf76458db5f320725f28e400 ] + +After a CPU has set itself offline and before it eventually calls +rcutree_report_cpu_dead(), there are still opportunities for callbacks +to be enqueued, for example from a softirq. When that happens on NOCB, +the rcuog wake-up is deferred through an IPI to an online CPU in order +not to call into the scheduler and risk arming the RT-bandwidth after +hrtimers have been migrated out and disabled. + +But performing a synchronized IPI from a softirq is buggy as reported in +the following scenario: + + WARNING: CPU: 1 PID: 26 at kernel/smp.c:633 smp_call_function_single + Modules linked in: rcutorture torture + CPU: 1 UID: 0 PID: 26 Comm: migration/1 Not tainted 6.11.0-rc1-00012-g9139f93209d1 #1 + Stopper: multi_cpu_stop+0x0/0x320 <- __stop_cpus+0xd0/0x120 + RIP: 0010:smp_call_function_single + + swake_up_one_online + __call_rcu_nocb_wake + __call_rcu_common + ? rcu_torture_one_read + call_timer_fn + __run_timers + run_timer_softirq + handle_softirqs + irq_exit_rcu + ? tick_handle_periodic + sysvec_apic_timer_interrupt + + +Fix this with forcing deferred rcuog wake up through the NOCB timer when +the CPU is offline. The actual wake up will happen from +rcutree_report_cpu_dead(). + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202409231644.4c55582d-lkp@intel.com +Fixes: 9139f93209d1 ("rcu/nocb: Fix RT throttling hrtimer armed from offline CPU") +Reviewed-by: "Joel Fernandes (Google)" +Signed-off-by: Frederic Weisbecker +Signed-off-by: Neeraj Upadhyay +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_nocb.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h +index 7a0bce3f784df..8993b2322be2b 100644 +--- a/kernel/rcu/tree_nocb.h ++++ b/kernel/rcu/tree_nocb.h +@@ -568,13 +568,19 @@ static void __call_rcu_nocb_wake(struct rcu_data *rdp, bool was_alldone, + rcu_nocb_unlock(rdp); + wake_nocb_gp_defer(rdp, RCU_NOCB_WAKE_LAZY, + TPS("WakeLazy")); +- } else if (!irqs_disabled_flags(flags)) { ++ } else if (!irqs_disabled_flags(flags) && cpu_online(rdp->cpu)) { + /* ... if queue was empty ... */ + rcu_nocb_unlock(rdp); + wake_nocb_gp(rdp, false); + trace_rcu_nocb_wake(rcu_state.name, rdp->cpu, + TPS("WakeEmpty")); + } else { ++ /* ++ * Don't do the wake-up upfront on fragile paths. ++ * Also offline CPUs can't call swake_up_one_online() from ++ * (soft-)IRQs. Rely on the final deferred wake-up from ++ * rcutree_report_cpu_dead() ++ */ + rcu_nocb_unlock(rdp); + wake_nocb_gp_defer(rdp, RCU_NOCB_WAKE, + TPS("WakeEmptyIsDeferred")); +-- +2.43.0 + diff --git a/queue-6.6/rcu-nocb-make-irqs-disablement-symmetric.patch b/queue-6.6/rcu-nocb-make-irqs-disablement-symmetric.patch new file mode 100644 index 00000000000..d102bf31e07 --- /dev/null +++ b/queue-6.6/rcu-nocb-make-irqs-disablement-symmetric.patch @@ -0,0 +1,153 @@ +From a8524adc0da36bc3d6ca69407a3900275ba85e23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jan 2024 23:24:00 +0100 +Subject: rcu/nocb: Make IRQs disablement symmetric + +From: Frederic Weisbecker + +[ Upstream commit b913c3fe685e0aec80130975b0f330fd709ff324 ] + +Currently IRQs are disabled on call_rcu() and then depending on the +context: + +* If the CPU is in nocb mode: + + - If the callback is enqueued in the bypass list, IRQs are re-enabled + implictly by rcu_nocb_try_bypass() + + - If the callback is enqueued in the normal list, IRQs are re-enabled + implicitly by __call_rcu_nocb_wake() + +* If the CPU is NOT in nocb mode, IRQs are reenabled explicitly from call_rcu() + +This makes the code a bit hard to follow, especially as it interleaves +with nocb locking. + +To make the IRQ flags coverage clearer and also in order to prepare for +moving all the nocb enqueue code to its own function, always re-enable +the IRQ flags explicitly from call_rcu(). + +Reviewed-by: Neeraj Upadhyay (AMD) +Signed-off-by: Frederic Weisbecker +Reviewed-by: Paul E. McKenney +Signed-off-by: Boqun Feng +Stable-dep-of: f7345ccc62a4 ("rcu/nocb: Fix rcuog wake-up from offline softirq") +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.c | 9 ++++++--- + kernel/rcu/tree_nocb.h | 20 +++++++++----------- + 2 files changed, 15 insertions(+), 14 deletions(-) + +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 8541084eeba50..3d7b119f6e2a3 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -2727,8 +2727,10 @@ __call_rcu_common(struct rcu_head *head, rcu_callback_t func, bool lazy_in) + } + + check_cb_ovld(rdp); +- if (rcu_nocb_try_bypass(rdp, head, &was_alldone, flags, lazy)) ++ if (rcu_nocb_try_bypass(rdp, head, &was_alldone, flags, lazy)) { ++ local_irq_restore(flags); + return; // Enqueued onto ->nocb_bypass, so just leave. ++ } + // If no-CBs CPU gets here, rcu_nocb_try_bypass() acquired ->nocb_lock. + rcu_segcblist_enqueue(&rdp->cblist, head); + if (__is_kvfree_rcu_offset((unsigned long)func)) +@@ -2746,8 +2748,8 @@ __call_rcu_common(struct rcu_head *head, rcu_callback_t func, bool lazy_in) + __call_rcu_nocb_wake(rdp, was_alldone, flags); /* unlocks */ + } else { + __call_rcu_core(rdp, head, flags); +- local_irq_restore(flags); + } ++ local_irq_restore(flags); + } + + #ifdef CONFIG_RCU_LAZY +@@ -4626,8 +4628,9 @@ void rcutree_migrate_callbacks(int cpu) + __call_rcu_nocb_wake(my_rdp, true, flags); + } else { + rcu_nocb_unlock(my_rdp); /* irqs remain disabled. */ +- raw_spin_unlock_irqrestore_rcu_node(my_rnp, flags); ++ raw_spin_unlock_rcu_node(my_rnp); /* irqs remain disabled. */ + } ++ local_irq_restore(flags); + if (needwake) + rcu_gp_kthread_wake(); + lockdep_assert_irqs_enabled(); +diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h +index e019f166daa61..7a0bce3f784df 100644 +--- a/kernel/rcu/tree_nocb.h ++++ b/kernel/rcu/tree_nocb.h +@@ -516,9 +516,7 @@ static bool rcu_nocb_try_bypass(struct rcu_data *rdp, struct rcu_head *rhp, + // 2. Both of these conditions are met: + // a. The bypass list previously had only lazy CBs, and: + // b. The new CB is non-lazy. +- if (ncbs && (!bypass_is_lazy || lazy)) { +- local_irq_restore(flags); +- } else { ++ if (!ncbs || (bypass_is_lazy && !lazy)) { + // No-CBs GP kthread might be indefinitely asleep, if so, wake. + rcu_nocb_lock(rdp); // Rare during call_rcu() flood. + if (!rcu_segcblist_pend_cbs(&rdp->cblist)) { +@@ -528,7 +526,7 @@ static bool rcu_nocb_try_bypass(struct rcu_data *rdp, struct rcu_head *rhp, + } else { + trace_rcu_nocb_wake(rcu_state.name, rdp->cpu, + TPS("FirstBQnoWake")); +- rcu_nocb_unlock_irqrestore(rdp, flags); ++ rcu_nocb_unlock(rdp); + } + } + return true; // Callback already enqueued. +@@ -554,7 +552,7 @@ static void __call_rcu_nocb_wake(struct rcu_data *rdp, bool was_alldone, + // If we are being polled or there is no kthread, just leave. + t = READ_ONCE(rdp->nocb_gp_kthread); + if (rcu_nocb_poll || !t) { +- rcu_nocb_unlock_irqrestore(rdp, flags); ++ rcu_nocb_unlock(rdp); + trace_rcu_nocb_wake(rcu_state.name, rdp->cpu, + TPS("WakeNotPoll")); + return; +@@ -567,17 +565,17 @@ static void __call_rcu_nocb_wake(struct rcu_data *rdp, bool was_alldone, + rdp->qlen_last_fqs_check = len; + // Only lazy CBs in bypass list + if (lazy_len && bypass_len == lazy_len) { +- rcu_nocb_unlock_irqrestore(rdp, flags); ++ rcu_nocb_unlock(rdp); + wake_nocb_gp_defer(rdp, RCU_NOCB_WAKE_LAZY, + TPS("WakeLazy")); + } else if (!irqs_disabled_flags(flags)) { + /* ... if queue was empty ... */ +- rcu_nocb_unlock_irqrestore(rdp, flags); ++ rcu_nocb_unlock(rdp); + wake_nocb_gp(rdp, false); + trace_rcu_nocb_wake(rcu_state.name, rdp->cpu, + TPS("WakeEmpty")); + } else { +- rcu_nocb_unlock_irqrestore(rdp, flags); ++ rcu_nocb_unlock(rdp); + wake_nocb_gp_defer(rdp, RCU_NOCB_WAKE, + TPS("WakeEmptyIsDeferred")); + } +@@ -595,15 +593,15 @@ static void __call_rcu_nocb_wake(struct rcu_data *rdp, bool was_alldone, + if ((rdp->nocb_cb_sleep || + !rcu_segcblist_ready_cbs(&rdp->cblist)) && + !timer_pending(&rdp->nocb_timer)) { +- rcu_nocb_unlock_irqrestore(rdp, flags); ++ rcu_nocb_unlock(rdp); + wake_nocb_gp_defer(rdp, RCU_NOCB_WAKE_FORCE, + TPS("WakeOvfIsDeferred")); + } else { +- rcu_nocb_unlock_irqrestore(rdp, flags); ++ rcu_nocb_unlock(rdp); + trace_rcu_nocb_wake(rcu_state.name, rdp->cpu, TPS("WakeNot")); + } + } else { +- rcu_nocb_unlock_irqrestore(rdp, flags); ++ rcu_nocb_unlock(rdp); + trace_rcu_nocb_wake(rcu_state.name, rdp->cpu, TPS("WakeNot")); + } + } +-- +2.43.0 + diff --git a/queue-6.6/revert-net-stmmac-set-pp_flag_dma_sync_dev-only-if-x.patch b/queue-6.6/revert-net-stmmac-set-pp_flag_dma_sync_dev-only-if-x.patch new file mode 100644 index 00000000000..f27cec23436 --- /dev/null +++ b/queue-6.6/revert-net-stmmac-set-pp_flag_dma_sync_dev-only-if-x.patch @@ -0,0 +1,44 @@ +From cbaf4468049d98d40e2ce0f7f1b4e0048b5e57a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 07:21:15 -0700 +Subject: Revert "net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled" + +From: Jakub Kicinski + +[ Upstream commit 5546da79e6cc5bb3324bf25688ed05498fd3f86d ] + +This reverts commit b514c47ebf41a6536551ed28a05758036e6eca7c. + +The commit describes that we don't have to sync the page when +recycling, and it tries to optimize that case. But we do need +to sync after allocation. Recycling side should be changed to +pass the right sync size instead. + +Fixes: b514c47ebf41 ("net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled") +Reported-by: Jon Hunter +Link: https://lore.kernel.org/20241004070846.2502e9ea@kernel.org +Reviewed-by: Jacob Keller +Reviewed-by: Furong Xu <0x1207@gmail.com> +Link: https://patch.msgid.link/20241004142115.910876-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 89a80e3e8bb88..d6167a7b19f21 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2018,7 +2018,7 @@ static int __alloc_dma_rx_desc_resources(struct stmmac_priv *priv, + rx_q->queue_index = queue; + rx_q->priv_data = priv; + +- pp_params.flags = PP_FLAG_DMA_MAP | (xdp_prog ? PP_FLAG_DMA_SYNC_DEV : 0); ++ pp_params.flags = PP_FLAG_DMA_MAP | PP_FLAG_DMA_SYNC_DEV; + pp_params.pool_size = dma_conf->dma_rx_size; + num_pages = DIV_ROUND_UP(dma_conf->dma_buf_sz, PAGE_SIZE); + pp_params.order = ilog2(num_pages); +-- +2.43.0 + diff --git a/queue-6.6/rtnetlink-add-bulk-registration-helpers-for-rtnetlin.patch b/queue-6.6/rtnetlink-add-bulk-registration-helpers-for-rtnetlin.patch new file mode 100644 index 00000000000..05e68a94a4f --- /dev/null +++ b/queue-6.6/rtnetlink-add-bulk-registration-helpers-for-rtnetlin.patch @@ -0,0 +1,110 @@ +From a3ab689b70e8a4bd1031198d77be5e8c42c726f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 11:47:32 -0700 +Subject: rtnetlink: Add bulk registration helpers for rtnetlink message + handlers. + +From: Kuniyuki Iwashima + +[ Upstream commit 07cc7b0b942bf55ef1a471470ecda8d2a6a6541f ] + +Before commit addf9b90de22 ("net: rtnetlink: use rcu to free rtnl message +handlers"), once rtnl_msg_handlers[protocol] was allocated, the following +rtnl_register_module() for the same protocol never failed. + +However, after the commit, rtnl_msg_handler[protocol][msgtype] needs to +be allocated in each rtnl_register_module(), so each call could fail. + +Many callers of rtnl_register_module() do not handle the returned error, +and we need to add many error handlings. + +To handle that easily, let's add wrapper functions for bulk registration +of rtnetlink message handlers. + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Stable-dep-of: 78b7b991838a ("vxlan: Handle error of rtnl_register_module().") +Signed-off-by: Sasha Levin +--- + include/net/rtnetlink.h | 17 +++++++++++++++++ + net/core/rtnetlink.c | 29 +++++++++++++++++++++++++++++ + 2 files changed, 46 insertions(+) + +diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h +index 6506221c5fe31..0bd400be3f8d9 100644 +--- a/include/net/rtnetlink.h ++++ b/include/net/rtnetlink.h +@@ -27,6 +27,15 @@ static inline enum rtnl_kinds rtnl_msgtype_kind(int msgtype) + return msgtype & RTNL_KIND_MASK; + } + ++struct rtnl_msg_handler { ++ struct module *owner; ++ int protocol; ++ int msgtype; ++ rtnl_doit_func doit; ++ rtnl_dumpit_func dumpit; ++ int flags; ++}; ++ + void rtnl_register(int protocol, int msgtype, + rtnl_doit_func, rtnl_dumpit_func, unsigned int flags); + int rtnl_register_module(struct module *owner, int protocol, int msgtype, +@@ -34,6 +43,14 @@ int rtnl_register_module(struct module *owner, int protocol, int msgtype, + int rtnl_unregister(int protocol, int msgtype); + void rtnl_unregister_all(int protocol); + ++int __rtnl_register_many(const struct rtnl_msg_handler *handlers, int n); ++void __rtnl_unregister_many(const struct rtnl_msg_handler *handlers, int n); ++ ++#define rtnl_register_many(handlers) \ ++ __rtnl_register_many(handlers, ARRAY_SIZE(handlers)) ++#define rtnl_unregister_many(handlers) \ ++ __rtnl_unregister_many(handlers, ARRAY_SIZE(handlers)) ++ + static inline int rtnl_msg_family(const struct nlmsghdr *nlh) + { + if (nlmsg_len(nlh) >= sizeof(struct rtgenmsg)) +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 8573dad6d8171..ffa1334cddf44 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -389,6 +389,35 @@ void rtnl_unregister_all(int protocol) + } + EXPORT_SYMBOL_GPL(rtnl_unregister_all); + ++int __rtnl_register_many(const struct rtnl_msg_handler *handlers, int n) ++{ ++ const struct rtnl_msg_handler *handler; ++ int i, err; ++ ++ for (i = 0, handler = handlers; i < n; i++, handler++) { ++ err = rtnl_register_internal(handler->owner, handler->protocol, ++ handler->msgtype, handler->doit, ++ handler->dumpit, handler->flags); ++ if (err) { ++ __rtnl_unregister_many(handlers, i); ++ break; ++ } ++ } ++ ++ return err; ++} ++EXPORT_SYMBOL_GPL(__rtnl_register_many); ++ ++void __rtnl_unregister_many(const struct rtnl_msg_handler *handlers, int n) ++{ ++ const struct rtnl_msg_handler *handler; ++ int i; ++ ++ for (i = n - 1, handler = handlers + n - 1; i >= 0; i--, handler--) ++ rtnl_unregister(handler->protocol, handler->msgtype); ++} ++EXPORT_SYMBOL_GPL(__rtnl_unregister_many); ++ + static LIST_HEAD(link_ops); + + static const struct rtnl_link_ops *rtnl_link_ops_get(const char *kind) +-- +2.43.0 + diff --git a/queue-6.6/rtnetlink-add-rtnl_flag_dump_unlocked-flag.patch b/queue-6.6/rtnetlink-add-rtnl_flag_dump_unlocked-flag.patch new file mode 100644 index 00000000000..53ff68bf29e --- /dev/null +++ b/queue-6.6/rtnetlink-add-rtnl_flag_dump_unlocked-flag.patch @@ -0,0 +1,101 @@ +From 63325c4b7845dd88cdf0f8d577ca1984f711fe28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 10:50:15 +0000 +Subject: rtnetlink: add RTNL_FLAG_DUMP_UNLOCKED flag + +From: Eric Dumazet + +[ Upstream commit 386520e0ecc01004d3a29c70c5a77d4bbf8a8420 ] + +Similarly to RTNL_FLAG_DOIT_UNLOCKED, this new flag +allows dump operations registered via rtnl_register() +or rtnl_register_module() to opt-out from RTNL protection. + +Signed-off-by: Eric Dumazet +Reviewed-by: Donald Hunter +Signed-off-by: David S. Miller +Stable-dep-of: 5be2062e3080 ("mpls: Handle error of rtnl_register_module().") +Signed-off-by: Sasha Levin +--- + include/linux/netlink.h | 2 ++ + include/net/rtnetlink.h | 1 + + net/core/rtnetlink.c | 2 ++ + net/netlink/af_netlink.c | 3 +++ + 4 files changed, 8 insertions(+) + +diff --git a/include/linux/netlink.h b/include/linux/netlink.h +index 75d7de34c9087..e8d713a37d176 100644 +--- a/include/linux/netlink.h ++++ b/include/linux/netlink.h +@@ -289,6 +289,7 @@ struct netlink_callback { + u16 answer_flags; + u32 min_dump_alloc; + unsigned int prev_seq, seq; ++ int flags; + bool strict_check; + union { + u8 ctx[48]; +@@ -321,6 +322,7 @@ struct netlink_dump_control { + void *data; + struct module *module; + u32 min_dump_alloc; ++ int flags; + }; + + int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, +diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h +index 0bd400be3f8d9..c1fa6fee0acfa 100644 +--- a/include/net/rtnetlink.h ++++ b/include/net/rtnetlink.h +@@ -12,6 +12,7 @@ typedef int (*rtnl_dumpit_func)(struct sk_buff *, struct netlink_callback *); + enum rtnl_link_flags { + RTNL_FLAG_DOIT_UNLOCKED = BIT(0), + RTNL_FLAG_BULK_DEL_SUPPORTED = BIT(1), ++ RTNL_FLAG_DUMP_UNLOCKED = BIT(2), + }; + + enum rtnl_kinds { +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index ffa1334cddf44..c76c54879fddd 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -6405,6 +6405,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, + } + owner = link->owner; + dumpit = link->dumpit; ++ flags = link->flags; + + if (type == RTM_GETLINK - RTM_BASE) + min_dump_alloc = rtnl_calcit(skb, nlh); +@@ -6422,6 +6423,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, + .dump = dumpit, + .min_dump_alloc = min_dump_alloc, + .module = owner, ++ .flags = flags, + }; + err = netlink_dump_start(rtnl, skb, nlh, &c); + /* netlink_dump_start() will keep a reference on +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index e40376997f393..8e7d5f17c58b8 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2263,6 +2263,8 @@ static int netlink_dump(struct sock *sk, bool lock_taken) + + cb->extack = &extack; + ++ if (cb->flags & RTNL_FLAG_DUMP_UNLOCKED) ++ extra_mutex = NULL; + if (extra_mutex) + mutex_lock(extra_mutex); + nlk->dump_done_errno = cb->dump(skb, cb); +@@ -2357,6 +2359,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + cb->data = control->data; + cb->module = control->module; + cb->min_dump_alloc = control->min_dump_alloc; ++ cb->flags = control->flags; + cb->skb = skb; + + cb->strict_check = nlk_test_bit(STRICT_CHK, NETLINK_CB(skb).sk); +-- +2.43.0 + diff --git a/queue-6.6/rtnetlink-change-nlk-cb_mutex-role.patch b/queue-6.6/rtnetlink-change-nlk-cb_mutex-role.patch new file mode 100644 index 00000000000..2b54816df77 --- /dev/null +++ b/queue-6.6/rtnetlink-change-nlk-cb_mutex-role.patch @@ -0,0 +1,152 @@ +From fa417c7813cfb227d6f2a3173621d47345d99650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 10:50:14 +0000 +Subject: rtnetlink: change nlk->cb_mutex role + +From: Eric Dumazet + +[ Upstream commit e39951d965bf58b5aba7f61dc1140dcb8271af22 ] + +In commit af65bdfce98d ("[NETLINK]: Switch cb_lock spinlock +to mutex and allow to override it"), Patrick McHardy used +a common mutex to protect both nlk->cb and the dump() operations. + +The override is used for rtnl dumps, registered with +rntl_register() and rntl_register_module(). + +We want to be able to opt-out some dump() operations +to not acquire RTNL, so we need to protect nlk->cb +with a per socket mutex. + +This patch renames nlk->cb_def_mutex to nlk->nl_cb_mutex + +The optional pointer to the mutex used to protect dump() +call is stored in nlk->dump_cb_mutex + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: 5be2062e3080 ("mpls: Handle error of rtnl_register_module().") +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 32 ++++++++++++++++++-------------- + net/netlink/af_netlink.h | 5 +++-- + 2 files changed, 21 insertions(+), 16 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index db49fc4d42cf7..e40376997f393 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -636,7 +636,7 @@ static struct proto netlink_proto = { + }; + + static int __netlink_create(struct net *net, struct socket *sock, +- struct mutex *cb_mutex, int protocol, ++ struct mutex *dump_cb_mutex, int protocol, + int kern) + { + struct sock *sk; +@@ -651,15 +651,11 @@ static int __netlink_create(struct net *net, struct socket *sock, + sock_init_data(sock, sk); + + nlk = nlk_sk(sk); +- if (cb_mutex) { +- nlk->cb_mutex = cb_mutex; +- } else { +- nlk->cb_mutex = &nlk->cb_def_mutex; +- mutex_init(nlk->cb_mutex); +- lockdep_set_class_and_name(nlk->cb_mutex, ++ mutex_init(&nlk->nl_cb_mutex); ++ lockdep_set_class_and_name(&nlk->nl_cb_mutex, + nlk_cb_mutex_keys + protocol, + nlk_cb_mutex_key_strings[protocol]); +- } ++ nlk->dump_cb_mutex = dump_cb_mutex; + init_waitqueue_head(&nlk->wait); + + sk->sk_destruct = netlink_sock_destruct; +@@ -2211,7 +2207,7 @@ static int netlink_dump(struct sock *sk, bool lock_taken) + int alloc_size; + + if (!lock_taken) +- mutex_lock(nlk->cb_mutex); ++ mutex_lock(&nlk->nl_cb_mutex); + if (!nlk->cb_running) { + err = -EINVAL; + goto errout_skb; +@@ -2263,14 +2259,22 @@ static int netlink_dump(struct sock *sk, bool lock_taken) + netlink_skb_set_owner_r(skb, sk); + + if (nlk->dump_done_errno > 0) { ++ struct mutex *extra_mutex = nlk->dump_cb_mutex; ++ + cb->extack = &extack; ++ ++ if (extra_mutex) ++ mutex_lock(extra_mutex); + nlk->dump_done_errno = cb->dump(skb, cb); ++ if (extra_mutex) ++ mutex_unlock(extra_mutex); ++ + cb->extack = NULL; + } + + if (nlk->dump_done_errno > 0 || + skb_tailroom(skb) < nlmsg_total_size(sizeof(nlk->dump_done_errno))) { +- mutex_unlock(nlk->cb_mutex); ++ mutex_unlock(&nlk->nl_cb_mutex); + + if (sk_filter(sk, skb)) + kfree_skb(skb); +@@ -2304,13 +2308,13 @@ static int netlink_dump(struct sock *sk, bool lock_taken) + WRITE_ONCE(nlk->cb_running, false); + module = cb->module; + skb = cb->skb; +- mutex_unlock(nlk->cb_mutex); ++ mutex_unlock(&nlk->nl_cb_mutex); + module_put(module); + consume_skb(skb); + return 0; + + errout_skb: +- mutex_unlock(nlk->cb_mutex); ++ mutex_unlock(&nlk->nl_cb_mutex); + kfree_skb(skb); + return err; + } +@@ -2333,7 +2337,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + } + + nlk = nlk_sk(sk); +- mutex_lock(nlk->cb_mutex); ++ mutex_lock(&nlk->nl_cb_mutex); + /* A dump is in progress... */ + if (nlk->cb_running) { + ret = -EBUSY; +@@ -2384,7 +2388,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + module_put(control->module); + error_unlock: + sock_put(sk); +- mutex_unlock(nlk->cb_mutex); ++ mutex_unlock(&nlk->nl_cb_mutex); + error_free: + kfree_skb(skb); + return ret; +diff --git a/net/netlink/af_netlink.h b/net/netlink/af_netlink.h +index 2145979b9986a..9751e29d4bbb9 100644 +--- a/net/netlink/af_netlink.h ++++ b/net/netlink/af_netlink.h +@@ -39,8 +39,9 @@ struct netlink_sock { + bool cb_running; + int dump_done_errno; + struct netlink_callback cb; +- struct mutex *cb_mutex; +- struct mutex cb_def_mutex; ++ struct mutex nl_cb_mutex; ++ ++ struct mutex *dump_cb_mutex; + void (*netlink_rcv)(struct sk_buff *skb); + int (*netlink_bind)(struct net *net, int group); + void (*netlink_unbind)(struct net *net, int group); +-- +2.43.0 + diff --git a/queue-6.6/rxrpc-fix-uninitialised-variable-in-rxrpc_send_data.patch b/queue-6.6/rxrpc-fix-uninitialised-variable-in-rxrpc_send_data.patch new file mode 100644 index 00000000000..f44a96a2ed9 --- /dev/null +++ b/queue-6.6/rxrpc-fix-uninitialised-variable-in-rxrpc_send_data.patch @@ -0,0 +1,57 @@ +From 3960e017e1dbea22176f872a0d414c7fff993255 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 14:26:59 +0100 +Subject: rxrpc: Fix uninitialised variable in rxrpc_send_data() + +From: David Howells + +[ Upstream commit 7a310f8d7dfe2d92a1f31ddb5357bfdd97eed273 ] + +Fix the uninitialised txb variable in rxrpc_send_data() by moving the code +that loads it above all the jumps to maybe_error, txb being stored back +into call->tx_pending right before the normal return. + +Fixes: b0f571ecd794 ("rxrpc: Fix locking in rxrpc's sendmsg") +Reported-by: Dan Carpenter +Closes: https://lists.infradead.org/pipermail/linux-afs/2024-October/008896.html +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://patch.msgid.link/20241001132702.3122709-3-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rxrpc/sendmsg.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c +index 8e0b94714e849..24f765d243db1 100644 +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -303,6 +303,11 @@ static int rxrpc_send_data(struct rxrpc_sock *rx, + sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk); + + reload: ++ txb = call->tx_pending; ++ call->tx_pending = NULL; ++ if (txb) ++ rxrpc_see_txbuf(txb, rxrpc_txbuf_see_send_more); ++ + ret = -EPIPE; + if (sk->sk_shutdown & SEND_SHUTDOWN) + goto maybe_error; +@@ -329,11 +334,6 @@ static int rxrpc_send_data(struct rxrpc_sock *rx, + goto maybe_error; + } + +- txb = call->tx_pending; +- call->tx_pending = NULL; +- if (txb) +- rxrpc_see_txbuf(txb, rxrpc_txbuf_see_send_more); +- + do { + if (!txb) { + size_t remain, bufsize, chunk, offset; +-- +2.43.0 + diff --git a/queue-6.6/sctp-ensure-sk_state-is-set-to-closed-if-hashing-fai.patch b/queue-6.6/sctp-ensure-sk_state-is-set-to-closed-if-hashing-fai.patch new file mode 100644 index 00000000000..4ff96e71742 --- /dev/null +++ b/queue-6.6/sctp-ensure-sk_state-is-set-to-closed-if-hashing-fai.patch @@ -0,0 +1,78 @@ +From 57282a32bbe487a1426ad6c68a31d3ba2bbb42da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 12:25:11 -0400 +Subject: sctp: ensure sk_state is set to CLOSED if hashing fails in + sctp_listen_start + +From: Xin Long + +[ Upstream commit 4d5c70e6155d5eae198bade4afeab3c1b15073b6 ] + +If hashing fails in sctp_listen_start(), the socket remains in the +LISTENING state, even though it was not added to the hash table. +This can lead to a scenario where a socket appears to be listening +without actually being accessible. + +This patch ensures that if the hashing operation fails, the sk_state +is set back to CLOSED before returning an error. + +Note that there is no need to undo the autobind operation if hashing +fails, as the bind port can still be used for next listen() call on +the same socket. + +Fixes: 76c6d988aeb3 ("sctp: add sock_reuseport for the sock in __sctp_hash_endpoint") +Reported-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 4a1ebe46d045d..108a0745c0c3c 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -8525,6 +8525,7 @@ static int sctp_listen_start(struct sock *sk, int backlog) + struct sctp_endpoint *ep = sp->ep; + struct crypto_shash *tfm = NULL; + char alg[32]; ++ int err; + + /* Allocate HMAC for generating cookie. */ + if (!sp->hmac && sp->sctp_hmac_alg) { +@@ -8552,18 +8553,25 @@ static int sctp_listen_start(struct sock *sk, int backlog) + inet_sk_set_state(sk, SCTP_SS_LISTENING); + if (!ep->base.bind_addr.port) { + if (sctp_autobind(sk)) { +- inet_sk_set_state(sk, SCTP_SS_CLOSED); +- return -EAGAIN; ++ err = -EAGAIN; ++ goto err; + } + } else { + if (sctp_get_port(sk, inet_sk(sk)->inet_num)) { +- inet_sk_set_state(sk, SCTP_SS_CLOSED); +- return -EADDRINUSE; ++ err = -EADDRINUSE; ++ goto err; + } + } + + WRITE_ONCE(sk->sk_max_ack_backlog, backlog); +- return sctp_hash_endpoint(ep); ++ err = sctp_hash_endpoint(ep); ++ if (err) ++ goto err; ++ ++ return 0; ++err: ++ inet_sk_set_state(sk, SCTP_SS_CLOSED); ++ return err; + } + + /* +-- +2.43.0 + diff --git a/queue-6.6/selftests-net-no_forwarding-fix-vid-for-swp2-in-one_.patch b/queue-6.6/selftests-net-no_forwarding-fix-vid-for-swp2-in-one_.patch new file mode 100644 index 00000000000..8cb19f052d1 --- /dev/null +++ b/queue-6.6/selftests-net-no_forwarding-fix-vid-for-swp2-in-one_.patch @@ -0,0 +1,84 @@ +From ab2e9bef0248f64ce51df4fb3ec41b0034d23d57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 14:10:16 +0900 +Subject: selftests: net: no_forwarding: fix VID for $swp2 in + one_bridge_two_pvids() test + +From: Kacper Ludwinski + +[ Upstream commit 9f49d14ec41ce7be647028d7d34dea727af55272 ] + +Currently, the second bridge command overwrites the first one. +Fix this by adding this VID to the interface behind $swp2. + +The one_bridge_two_pvids() test intends to check that there is no +leakage of traffic between bridge ports which have a single VLAN - the +PVID VLAN. + +Because of a typo, port $swp1 is configured with a PVID twice (second +command overwrites first), and $swp2 isn't configured at all (and since +the bridge vlan_default_pvid property is set to 0, this port will not +have a PVID at all, so it will drop all untagged and priority-tagged +traffic). + +So, instead of testing the configuration that was intended, we are +testing a different one, where one port has PVID 2 and the other has +no PVID. This incorrect version of the test should also pass, but is +ineffective for its purpose, so fix the typo. + +This typo has an impact on results of the test, +potentially leading to wrong conclusions regarding +the functionality of a network device. + +The tests results: + +TEST: Switch ports in VLAN-aware bridge with different PVIDs: + Unicast non-IP untagged [ OK ] + Multicast non-IP untagged [ OK ] + Broadcast non-IP untagged [ OK ] + Unicast IPv4 untagged [ OK ] + Multicast IPv4 untagged [ OK ] + Unicast IPv6 untagged [ OK ] + Multicast IPv6 untagged [ OK ] + Unicast non-IP VID 1 [ OK ] + Multicast non-IP VID 1 [ OK ] + Broadcast non-IP VID 1 [ OK ] + Unicast IPv4 VID 1 [ OK ] + Multicast IPv4 VID 1 [ OK ] + Unicast IPv6 VID 1 [ OK ] + Multicast IPv6 VID 1 [ OK ] + Unicast non-IP VID 4094 [ OK ] + Multicast non-IP VID 4094 [ OK ] + Broadcast non-IP VID 4094 [ OK ] + Unicast IPv4 VID 4094 [ OK ] + Multicast IPv4 VID 4094 [ OK ] + Unicast IPv6 VID 4094 [ OK ] + Multicast IPv6 VID 4094 [ OK ] + +Fixes: 476a4f05d9b8 ("selftests: forwarding: add a no_forwarding.sh test") +Reviewed-by: Hangbin Liu +Reviewed-by: Shuah Khan +Signed-off-by: Kacper Ludwinski +Link: https://patch.msgid.link/20241002051016.849-1-kac.ludwinski@icloud.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/no_forwarding.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/forwarding/no_forwarding.sh b/tools/testing/selftests/net/forwarding/no_forwarding.sh +index 9e677aa64a06a..694ece9ba3a74 100755 +--- a/tools/testing/selftests/net/forwarding/no_forwarding.sh ++++ b/tools/testing/selftests/net/forwarding/no_forwarding.sh +@@ -202,7 +202,7 @@ one_bridge_two_pvids() + ip link set $swp2 master br0 + + bridge vlan add dev $swp1 vid 1 pvid untagged +- bridge vlan add dev $swp1 vid 2 pvid untagged ++ bridge vlan add dev $swp2 vid 2 pvid untagged + + run_test "Switch ports in VLAN-aware bridge with different PVIDs" + +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 6ed62e572dd..fa805a4357d 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -106,3 +106,62 @@ drm-amd-display-check-null-pointer-before-dereferenc.patch fbcon-fix-a-null-pointer-dereference-issue-in-fbcon_.patch smb-client-fix-uaf-in-async-decryption.patch fbdev-sisfb-fix-strbuf-array-overflow.patch +x86-amd_nb-add-new-pci-ids-for-amd-family-0x1a.patch +x86-amd_nb-add-new-pci-ids-for-amd-family-1ah-model-.patch +nfsd-mark-filecache-down-if-init-fails.patch +ice-set-correct-dst-vsi-in-only-lan-filters.patch +ice-fix-vlan-replay-after-reset.patch +sunrpc-fix-integer-overflow-in-decode_rc_list.patch +nfsv4-prevent-null-pointer-dereference-in-nfs42_comp.patch +net-phy-dp83869-fix-memory-corruption-when-enabling-.patch +tcp-fix-to-allow-timestamp-undo-if-no-retransmits-we.patch +tcp-fix-tcp_enter_recovery-to-zero-retrans_stamp-whe.patch +tcp-new-tcp_info-stats-for-rto-events.patch +tcp-fix-tfo-syn_recv-to-not-zero-retrans_stamp-with-.patch +rxrpc-fix-uninitialised-variable-in-rxrpc_send_data.patch +netfilter-br_netfilter-fix-panic-with-metadata_dst-s.patch +selftests-net-no_forwarding-fix-vid-for-swp2-in-one_.patch +bluetooth-rfcomm-fix-possible-deadlock-in-rfcomm_sk_.patch +net-phy-bcm84881-fix-some-error-handling-paths.patch +thermal-int340x-processor_thermal-set-feature-mask-b.patch +thermal-intel-int340x-processor-fix-warning-during-m.patch +revert-net-stmmac-set-pp_flag_dma_sync_dev-only-if-x.patch +net-ethernet-adi-adin1110-fix-some-error-handling-pa.patch +net-dsa-b53-fix-jumbo-frame-mtu-check.patch +net-dsa-b53-fix-max-mtu-for-1g-switches.patch +net-dsa-b53-fix-max-mtu-for-bcm5325-bcm5365.patch +net-dsa-b53-allow-lower-mtus-on-bcm5325-5365.patch +net-dsa-b53-fix-jumbo-frames-on-10-100-ports.patch +drm-nouveau-pass-cli-to-nouveau_channel_new-instead-.patch +nouveau-dmem-fix-privileged-error-in-copy-engine-cha.patch +gpio-aspeed-add-the-flush-write-to-ensure-the-write-.patch +gpio-aspeed-use-devm_clk-api-to-manage-clock-source.patch +platform-x86-intel-tpmi-add-defines-to-get-version-i.patch +powercap-intel_rapl_tpmi-ignore-minor-version-change.patch +ice-fix-netif_is_ice-in-safe-mode.patch +ice-rename-switchdev-to-eswitch.patch +ice-flush-fdb-entries-before-reset.patch +i40e-fix-macvlan-leak-by-synchronizing-access-to-mac.patch +igb-do-not-bring-the-device-up-after-non-fatal-error.patch +e1000e-change-i219-19-devices-to-adp.patch +net-sched-accept-tca_stab-only-for-root-qdisc.patch +net-ibm-emac-mal-fix-wrong-goto.patch +btrfs-zoned-fix-missing-rcu-locking-in-error-message.patch +sctp-ensure-sk_state-is-set-to-closed-if-hashing-fai.patch +netfilter-xtables-avoid-nfproto_unspec-where-needed.patch +netfilter-fib-check-correct-rtable-in-vrf-setups.patch +net-do-not-delay-dst_entries_add-in-dst_release.patch +rtnetlink-add-bulk-registration-helpers-for-rtnetlin.patch +vxlan-handle-error-of-rtnl_register_module.patch +bridge-handle-error-of-rtnl_register_module.patch +mctp-handle-error-of-rtnl_register_module.patch +rtnetlink-change-nlk-cb_mutex-role.patch +rtnetlink-add-rtnl_flag_dump_unlocked-flag.patch +mpls-no-longer-hold-rtnl-in-mpls_netconf_dump_devcon.patch +mpls-handle-error-of-rtnl_register_module.patch +phonet-no-longer-hold-rtnl-in-route_dumpit.patch +phonet-handle-error-of-rtnl_register_module.patch +ppp-fix-ppp_async_encode-illegal-access.patch +slip-make-slhc_remember-more-robust-against-maliciou.patch +rcu-nocb-make-irqs-disablement-symmetric.patch +rcu-nocb-fix-rcuog-wake-up-from-offline-softirq.patch diff --git a/queue-6.6/slip-make-slhc_remember-more-robust-against-maliciou.patch b/queue-6.6/slip-make-slhc_remember-more-robust-against-maliciou.patch new file mode 100644 index 00000000000..3c49e4a7336 --- /dev/null +++ b/queue-6.6/slip-make-slhc_remember-more-robust-against-maliciou.patch @@ -0,0 +1,170 @@ +From f65b615278b4a3305722419b9585ca766b35c2ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 09:11:32 +0000 +Subject: slip: make slhc_remember() more robust against malicious packets + +From: Eric Dumazet + +[ Upstream commit 7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c ] + +syzbot found that slhc_remember() was missing checks against +malicious packets [1]. + +slhc_remember() only checked the size of the packet was at least 20, +which is not good enough. + +We need to make sure the packet includes the IPv4 and TCP header +that are supposed to be carried. + +Add iph and th pointers to make the code more readable. + +[1] + +BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 + slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 + ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455 + ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline] + ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212 + ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327 + pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 + sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 + __release_sock+0x1da/0x330 net/core/sock.c:3072 + release_sock+0x6b/0x250 net/core/sock.c:3626 + pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 + sock_sendmsg_nosec net/socket.c:729 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:744 + ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 + __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 + __do_sys_sendmmsg net/socket.c:2771 [inline] + __se_sys_sendmmsg net/socket.c:2768 [inline] + __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 + x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4091 [inline] + slab_alloc_node mm/slub.c:4134 [inline] + kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 + __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 + alloc_skb include/linux/skbuff.h:1322 [inline] + sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732 + pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 + sock_sendmsg_nosec net/socket.c:729 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:744 + ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 + __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 + __do_sys_sendmmsg net/socket.c:2771 [inline] + __se_sys_sendmmsg net/socket.c:2768 [inline] + __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 + x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + +Fixes: b5451d783ade ("slip: Move the SLIP drivers") +Reported-by: syzbot+2ada1bc857496353be5a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/670646db.050a0220.3f80e.0027.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20241009091132.2136321-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/slip/slhc.c | 57 ++++++++++++++++++++++++----------------- + 1 file changed, 34 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c +index ba93bab948e09..bf9e801cc61cc 100644 +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -643,46 +643,57 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize) + int + slhc_remember(struct slcompress *comp, unsigned char *icp, int isize) + { +- struct cstate *cs; +- unsigned ihl; +- ++ const struct tcphdr *th; + unsigned char index; ++ struct iphdr *iph; ++ struct cstate *cs; ++ unsigned int ihl; + +- if(isize < 20) { +- /* The packet is shorter than a legal IP header */ ++ /* The packet is shorter than a legal IP header. ++ * Also make sure isize is positive. ++ */ ++ if (isize < (int)sizeof(struct iphdr)) { ++runt: + comp->sls_i_runt++; +- return slhc_toss( comp ); ++ return slhc_toss(comp); + } ++ iph = (struct iphdr *)icp; + /* Peek at the IP header's IHL field to find its length */ +- ihl = icp[0] & 0xf; +- if(ihl < 20 / 4){ +- /* The IP header length field is too small */ +- comp->sls_i_runt++; +- return slhc_toss( comp ); +- } +- index = icp[9]; +- icp[9] = IPPROTO_TCP; ++ ihl = iph->ihl; ++ /* The IP header length field is too small, ++ * or packet is shorter than the IP header followed ++ * by minimal tcp header. ++ */ ++ if (ihl < 5 || isize < ihl * 4 + sizeof(struct tcphdr)) ++ goto runt; ++ ++ index = iph->protocol; ++ iph->protocol = IPPROTO_TCP; + + if (ip_fast_csum(icp, ihl)) { + /* Bad IP header checksum; discard */ + comp->sls_i_badcheck++; +- return slhc_toss( comp ); ++ return slhc_toss(comp); + } +- if(index > comp->rslot_limit) { ++ if (index > comp->rslot_limit) { + comp->sls_i_error++; + return slhc_toss(comp); + } +- ++ th = (struct tcphdr *)(icp + ihl * 4); ++ if (th->doff < sizeof(struct tcphdr) / 4) ++ goto runt; ++ if (isize < ihl * 4 + th->doff * 4) ++ goto runt; + /* Update local state */ + cs = &comp->rstate[comp->recv_current = index]; + comp->flags &=~ SLF_TOSS; +- memcpy(&cs->cs_ip,icp,20); +- memcpy(&cs->cs_tcp,icp + ihl*4,20); ++ memcpy(&cs->cs_ip, iph, sizeof(*iph)); ++ memcpy(&cs->cs_tcp, th, sizeof(*th)); + if (ihl > 5) +- memcpy(cs->cs_ipopt, icp + sizeof(struct iphdr), (ihl - 5) * 4); +- if (cs->cs_tcp.doff > 5) +- memcpy(cs->cs_tcpopt, icp + ihl*4 + sizeof(struct tcphdr), (cs->cs_tcp.doff - 5) * 4); +- cs->cs_hsize = ihl*2 + cs->cs_tcp.doff*2; ++ memcpy(cs->cs_ipopt, &iph[1], (ihl - 5) * 4); ++ if (th->doff > 5) ++ memcpy(cs->cs_tcpopt, &th[1], (th->doff - 5) * 4); ++ cs->cs_hsize = ihl*2 + th->doff*2; + cs->initialized = true; + /* Put headers back on packet + * Neither header checksum is recalculated +-- +2.43.0 + diff --git a/queue-6.6/sunrpc-fix-integer-overflow-in-decode_rc_list.patch b/queue-6.6/sunrpc-fix-integer-overflow-in-decode_rc_list.patch new file mode 100644 index 00000000000..e8f05ae5073 --- /dev/null +++ b/queue-6.6/sunrpc-fix-integer-overflow-in-decode_rc_list.patch @@ -0,0 +1,37 @@ +From 1ee586897f4f716c9c06d0a3a89f7d44190543ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2024 11:50:33 +0300 +Subject: SUNRPC: Fix integer overflow in decode_rc_list() + +From: Dan Carpenter + +[ Upstream commit 6dbf1f341b6b35bcc20ff95b6b315e509f6c5369 ] + +The math in "rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t)" could have an +integer overflow. Add bounds checking on rc_list->rcl_nrefcalls to fix +that. + +Fixes: 4aece6a19cf7 ("nfs41: cb_sequence xdr implementation") +Signed-off-by: Dan Carpenter +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/callback_xdr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c +index 321af81c456e2..d5f6437da352d 100644 +--- a/fs/nfs/callback_xdr.c ++++ b/fs/nfs/callback_xdr.c +@@ -372,6 +372,8 @@ static __be32 decode_rc_list(struct xdr_stream *xdr, + + rc_list->rcl_nrefcalls = ntohl(*p++); + if (rc_list->rcl_nrefcalls) { ++ if (unlikely(rc_list->rcl_nrefcalls > xdr->buf->len)) ++ goto out; + p = xdr_inline_decode(xdr, + rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t)); + if (unlikely(p == NULL)) +-- +2.43.0 + diff --git a/queue-6.6/tcp-fix-tcp_enter_recovery-to-zero-retrans_stamp-whe.patch b/queue-6.6/tcp-fix-tcp_enter_recovery-to-zero-retrans_stamp-whe.patch new file mode 100644 index 00000000000..4bba30b8706 --- /dev/null +++ b/queue-6.6/tcp-fix-tcp_enter_recovery-to-zero-retrans_stamp-whe.patch @@ -0,0 +1,153 @@ +From 151ef3030938ce47a593a98fd12040d7a1c2c578 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 20:05:16 +0000 +Subject: tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe + +From: Neal Cardwell + +[ Upstream commit b41b4cbd9655bcebcce941bef3601db8110335be ] + +Fix tcp_enter_recovery() so that if there are no retransmits out then +we zero retrans_stamp when entering fast recovery. This is necessary +to fix two buggy behaviors. + +Currently a non-zero retrans_stamp value can persist across multiple +back-to-back loss recovery episodes. This is because we generally only +clears retrans_stamp if we are completely done with loss recoveries, +and get to tcp_try_to_open() and find !tcp_any_retrans_done(sk). This +behavior causes two bugs: + +(1) When a loss recovery episode (CA_Loss or CA_Recovery) is followed +immediately by a new CA_Recovery, the retrans_stamp value can persist +and can be a time before this new CA_Recovery episode starts. That +means that timestamp-based undo will be using the wrong retrans_stamp +(a value that is too old) when comparing incoming TS ecr values to +retrans_stamp to see if the current fast recovery episode can be +undone. + +(2) If there is a roughly minutes-long sequence of back-to-back fast +recovery episodes, one after another (e.g. in a shallow-buffered or +policed bottleneck), where each fast recovery successfully makes +forward progress and recovers one window of sequence space (but leaves +at least one retransmit in flight at the end of the recovery), +followed by several RTOs, then the ETIMEDOUT check may be using the +wrong retrans_stamp (a value set at the start of the first fast +recovery in the sequence). This can cause a very premature ETIMEDOUT, +killing the connection prematurely. + +This commit changes the code to zero retrans_stamp when entering fast +recovery, when this is known to be safe (no retransmits are out in the +network). That ensures that when starting a fast recovery episode, and +it is safe to do so, retrans_stamp is set when we send the fast +retransmit packet. That addresses both bug (1) and bug (2) by ensuring +that (if no retransmits are out when we start a fast recovery) we use +the initial fast retransmit of this fast recovery as the time value +for undo and ETIMEDOUT calculations. + +This makes intuitive sense, since the start of a new fast recovery +episode (in a scenario where no lost packets are out in the network) +means that the connection has made forward progress since the last RTO +or fast recovery, and we should thus "restart the clock" used for both +undo and ETIMEDOUT logic. + +Note that if when we start fast recovery there *are* retransmits out +in the network, there can still be undesirable (1)/(2) issues. For +example, after this patch we can still have the (1) and (2) problems +in cases like this: + ++ round 1: sender sends flight 1 + ++ round 2: sender receives SACKs and enters fast recovery 1, + retransmits some packets in flight 1 and then sends some new data as + flight 2 + ++ round 3: sender receives some SACKs for flight 2, notes losses, and + retransmits some packets to fill the holes in flight 2 + ++ fast recovery has some lost retransmits in flight 1 and continues + for one or more rounds sending retransmits for flight 1 and flight 2 + ++ fast recovery 1 completes when snd_una reaches high_seq at end of + flight 1 + ++ there are still holes in the SACK scoreboard in flight 2, so we + enter fast recovery 2, but some retransmits in the flight 2 sequence + range are still in flight (retrans_out > 0), so we can't execute the + new retrans_stamp=0 added here to clear retrans_stamp + +It's not yet clear how to fix these remaining (1)/(2) issues in an +efficient way without breaking undo behavior, given that retrans_stamp +is currently used for undo and ETIMEDOUT. Perhaps the optimal (but +expensive) strategy would be to set retrans_stamp to the timestamp of +the earliest outstanding retransmit when entering fast recovery. But +at least this commit makes things better. + +Note that this does not change the semantics of retrans_stamp; it +simply makes retrans_stamp accurate in some cases where it was not +before: + +(1) Some loss recovery, followed by an immediate entry into a fast +recovery, where there are no retransmits out when entering the fast +recovery. + +(2) When a TFO server has a SYNACK retransmit that sets retrans_stamp, +and then the ACK that completes the 3-way handshake has SACK blocks +that trigger a fast recovery. In this case when entering fast recovery +we want to zero out the retrans_stamp from the TFO SYNACK retransmit, +and set the retrans_stamp based on the timestamp of the fast recovery. + +We introduce a tcp_retrans_stamp_cleanup() helper, because this +two-line sequence already appears in 3 places and is about to appear +in 2 more as a result of this bug fix patch series. Once this bug fix +patches series in the net branch makes it into the net-next branch +we'll update the 3 other call sites to use the new helper. + +This is a long-standing issue. The Fixes tag below is chosen to be the +oldest commit at which the patch will apply cleanly, which is from +Linux v3.5 in 2012. + +Fixes: 1fbc340514fc ("tcp: early retransmit: tcp_enter_recovery()") +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20241001200517.2756803-3-ncardwell.sw@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 31e4f7bce00ce..057d39248bec7 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2501,6 +2501,16 @@ static bool tcp_any_retrans_done(const struct sock *sk) + return false; + } + ++/* If loss recovery is finished and there are no retransmits out in the ++ * network, then we clear retrans_stamp so that upon the next loss recovery ++ * retransmits_timed_out() and timestamp-undo are using the correct value. ++ */ ++static void tcp_retrans_stamp_cleanup(struct sock *sk) ++{ ++ if (!tcp_any_retrans_done(sk)) ++ tcp_sk(sk)->retrans_stamp = 0; ++} ++ + static void DBGUNDO(struct sock *sk, const char *msg) + { + #if FASTRETRANS_DEBUG > 1 +@@ -2868,6 +2878,9 @@ void tcp_enter_recovery(struct sock *sk, bool ece_ack) + struct tcp_sock *tp = tcp_sk(sk); + int mib_idx; + ++ /* Start the clock with our fast retransmit, for undo and ETIMEDOUT. */ ++ tcp_retrans_stamp_cleanup(sk); ++ + if (tcp_is_reno(tp)) + mib_idx = LINUX_MIB_TCPRENORECOVERY; + else +-- +2.43.0 + diff --git a/queue-6.6/tcp-fix-tfo-syn_recv-to-not-zero-retrans_stamp-with-.patch b/queue-6.6/tcp-fix-tfo-syn_recv-to-not-zero-retrans_stamp-with-.patch new file mode 100644 index 00000000000..04849a2a1d4 --- /dev/null +++ b/queue-6.6/tcp-fix-tfo-syn_recv-to-not-zero-retrans_stamp-with-.patch @@ -0,0 +1,63 @@ +From bd8a0a6db09057c3df7254cea717b1b3d27fd134 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 20:05:17 +0000 +Subject: tcp: fix TFO SYN_RECV to not zero retrans_stamp with retransmits out + +From: Neal Cardwell + +[ Upstream commit 27c80efcc20486c82698f05f00e288b44513c86b ] + +Fix tcp_rcv_synrecv_state_fastopen() to not zero retrans_stamp +if retransmits are outstanding. + +tcp_fastopen_synack_timer() sets retrans_stamp, so typically we'll +need to zero retrans_stamp here to prevent spurious +retransmits_timed_out(). The logic to zero retrans_stamp is from this +2019 commit: + +commit cd736d8b67fb ("tcp: fix retrans timestamp on passive Fast Open") + +However, in the corner case where the ACK of our TFO SYNACK carried +some SACK blocks that caused us to enter TCP_CA_Recovery then that +non-zero retrans_stamp corresponds to the active fast recovery, and we +need to leave retrans_stamp with its current non-zero value, for +correct ETIMEDOUT and undo behavior. + +Fixes: cd736d8b67fb ("tcp: fix retrans timestamp on passive Fast Open") +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20241001200517.2756803-4-ncardwell.sw@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index d472f7052cd32..fb053942dba2a 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -6554,10 +6554,17 @@ static void tcp_rcv_synrecv_state_fastopen(struct sock *sk) + if (inet_csk(sk)->icsk_ca_state == TCP_CA_Loss && !tp->packets_out) + tcp_try_undo_recovery(sk); + +- /* Reset rtx states to prevent spurious retransmits_timed_out() */ + tcp_update_rto_time(tp); +- tp->retrans_stamp = 0; + inet_csk(sk)->icsk_retransmits = 0; ++ /* In tcp_fastopen_synack_timer() on the first SYNACK RTO we set ++ * retrans_stamp but don't enter CA_Loss, so in case that happened we ++ * need to zero retrans_stamp here to prevent spurious ++ * retransmits_timed_out(). However, if the ACK of our SYNACK caused us ++ * to enter CA_Recovery then we need to leave retrans_stamp as it was ++ * set entering CA_Recovery, for correct retransmits_timed_out() and ++ * undo behavior. ++ */ ++ tcp_retrans_stamp_cleanup(sk); + + /* Once we leave TCP_SYN_RECV or TCP_FIN_WAIT_1, + * we no longer need req so release it. +-- +2.43.0 + diff --git a/queue-6.6/tcp-fix-to-allow-timestamp-undo-if-no-retransmits-we.patch b/queue-6.6/tcp-fix-to-allow-timestamp-undo-if-no-retransmits-we.patch new file mode 100644 index 00000000000..c8a8b2a3a21 --- /dev/null +++ b/queue-6.6/tcp-fix-to-allow-timestamp-undo-if-no-retransmits-we.patch @@ -0,0 +1,96 @@ +From a549d96e42e3465196812b93037daedfc6baf71f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 20:05:15 +0000 +Subject: tcp: fix to allow timestamp undo if no retransmits were sent + +From: Neal Cardwell + +[ Upstream commit e37ab7373696e650d3b6262a5b882aadad69bb9e ] + +Fix the TCP loss recovery undo logic in tcp_packet_delayed() so that +it can trigger undo even if TSQ prevents a fast recovery episode from +reaching tcp_retransmit_skb(). + +Geumhwan Yu recently reported that after +this commit from 2019: + +commit bc9f38c8328e ("tcp: avoid unconditional congestion window undo +on SYN retransmit") + +...and before this fix we could have buggy scenarios like the +following: + ++ Due to reordering, a TCP connection receives some SACKs and enters a + spurious fast recovery. + ++ TSQ prevents all invocations of tcp_retransmit_skb(), because many + skbs are queued in lower layers of the sending machine's network + stack; thus tp->retrans_stamp remains 0. + ++ The connection receives a TCP timestamp ECR value echoing a + timestamp before the fast recovery, indicating that the fast + recovery was spurious. + ++ The connection fails to undo the spurious fast recovery because + tp->retrans_stamp is 0, and thus tcp_packet_delayed() returns false, + due to the new logic in the 2019 commit: commit bc9f38c8328e ("tcp: + avoid unconditional congestion window undo on SYN retransmit") + +This fix tweaks the logic to be more similar to the +tcp_packet_delayed() logic before bc9f38c8328e, except that we take +care not to be fooled by the FLAG_SYN_ACKED code path zeroing out +tp->retrans_stamp (the bug noted and fixed by Yuchung in +bc9f38c8328e). + +Note that this returns the high-level behavior of tcp_packet_delayed() +to again match the comment for the function, which says: "Nothing was +retransmitted or returned timestamp is less than timestamp of the +first retransmission." Note that this comment is in the original +2005-04-16 Linux git commit, so this is evidently long-standing +behavior. + +Fixes: bc9f38c8328e ("tcp: avoid unconditional congestion window undo on SYN retransmit") +Reported-by: Geumhwan Yu +Diagnosed-by: Geumhwan Yu +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20241001200517.2756803-2-ncardwell.sw@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index b565c8a8e7bad..31e4f7bce00ce 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2452,8 +2452,22 @@ static bool tcp_skb_spurious_retrans(const struct tcp_sock *tp, + */ + static inline bool tcp_packet_delayed(const struct tcp_sock *tp) + { +- return tp->retrans_stamp && +- tcp_tsopt_ecr_before(tp, tp->retrans_stamp); ++ const struct sock *sk = (const struct sock *)tp; ++ ++ if (tp->retrans_stamp && ++ tcp_tsopt_ecr_before(tp, tp->retrans_stamp)) ++ return true; /* got echoed TS before first retransmission */ ++ ++ /* Check if nothing was retransmitted (retrans_stamp==0), which may ++ * happen in fast recovery due to TSQ. But we ignore zero retrans_stamp ++ * in TCP_SYN_SENT, since when we set FLAG_SYN_ACKED we also clear ++ * retrans_stamp even if we had retransmitted the SYN. ++ */ ++ if (!tp->retrans_stamp && /* no record of a retransmit/SYN? */ ++ sk->sk_state != TCP_SYN_SENT) /* not the FLAG_SYN_ACKED case? */ ++ return true; /* nothing was retransmitted */ ++ ++ return false; + } + + /* Undo procedures. */ +-- +2.43.0 + diff --git a/queue-6.6/tcp-new-tcp_info-stats-for-rto-events.patch b/queue-6.6/tcp-new-tcp_info-stats-for-rto-events.patch new file mode 100644 index 00000000000..95c03a7f046 --- /dev/null +++ b/queue-6.6/tcp-new-tcp_info-stats-for-rto-events.patch @@ -0,0 +1,218 @@ +From 288c548f22b99e5760a693f2b9e250cec5df066a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Sep 2023 14:36:21 +0000 +Subject: tcp: new TCP_INFO stats for RTO events + +From: Aananth V + +[ Upstream commit 3868ab0f192581eff978501a05f3dc2e01541d77 ] + +The 2023 SIGCOMM paper "Improving Network Availability with Protective +ReRoute" has indicated Linux TCP's RTO-triggered txhash rehashing can +effectively reduce application disruption during outages. To better +measure the efficacy of this feature, this patch adds three more +detailed stats during RTO recovery and exports via TCP_INFO. +Applications and monitoring systems can leverage this data to measure +the network path diversity and end-to-end repair latency during network +outages to improve their network infrastructure. + +The following counters are added to tcp_sock in order to track RTO +events over the lifetime of a TCP socket. + +1. u16 total_rto - Counts the total number of RTO timeouts. +2. u16 total_rto_recoveries - Counts the total number of RTO recoveries. +3. u32 total_rto_time - Counts the total time spent (ms) in RTO + recoveries. (time spent in CA_Loss and + CA_Recovery states) + +To compute total_rto_time, we add a new u32 rto_stamp field to +tcp_sock. rto_stamp records the start timestamp (ms) of the last RTO +recovery (CA_Loss). + +Corresponding fields are also added to the tcp_info struct. + +Signed-off-by: Aananth V +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: 27c80efcc204 ("tcp: fix TFO SYN_RECV to not zero retrans_stamp with retransmits out") +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 8 ++++++++ + include/uapi/linux/tcp.h | 12 ++++++++++++ + net/ipv4/tcp.c | 9 +++++++++ + net/ipv4/tcp_input.c | 15 +++++++++++++++ + net/ipv4/tcp_minisocks.c | 4 ++++ + net/ipv4/tcp_timer.c | 17 +++++++++++++++-- + 6 files changed, 63 insertions(+), 2 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index 3c5efeeb024f6..9b371aa7c7962 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -377,6 +377,14 @@ struct tcp_sock { + * Total data bytes retransmitted + */ + u32 total_retrans; /* Total retransmits for entire connection */ ++ u32 rto_stamp; /* Start time (ms) of last CA_Loss recovery */ ++ u16 total_rto; /* Total number of RTO timeouts, including ++ * SYN/SYN-ACK and recurring timeouts. ++ */ ++ u16 total_rto_recoveries; /* Total number of RTO recoveries, ++ * including any unfinished recovery. ++ */ ++ u32 total_rto_time; /* ms spent in (completed) RTO recoveries. */ + + u32 urg_seq; /* Seq of received urgent pointer */ + unsigned int keepalive_time; /* time before keep alive takes place */ +diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h +index 879eeb0a084b4..d1d08da6331ab 100644 +--- a/include/uapi/linux/tcp.h ++++ b/include/uapi/linux/tcp.h +@@ -289,6 +289,18 @@ struct tcp_info { + */ + + __u32 tcpi_rehash; /* PLB or timeout triggered rehash attempts */ ++ ++ __u16 tcpi_total_rto; /* Total number of RTO timeouts, including ++ * SYN/SYN-ACK and recurring timeouts. ++ */ ++ __u16 tcpi_total_rto_recoveries; /* Total number of RTO ++ * recoveries, including any ++ * unfinished recovery. ++ */ ++ __u32 tcpi_total_rto_time; /* Total time spent in RTO recoveries ++ * in milliseconds, including any ++ * unfinished recovery. ++ */ + }; + + /* netlink attributes types for SCM_TIMESTAMPING_OPT_STATS */ +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 1e3202f2b7a87..75371928d94f6 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3851,6 +3851,15 @@ void tcp_get_info(struct sock *sk, struct tcp_info *info) + info->tcpi_rcv_wnd = tp->rcv_wnd; + info->tcpi_rehash = tp->plb_rehash + tp->timeout_rehash; + info->tcpi_fastopen_client_fail = tp->fastopen_client_fail; ++ ++ info->tcpi_total_rto = tp->total_rto; ++ info->tcpi_total_rto_recoveries = tp->total_rto_recoveries; ++ info->tcpi_total_rto_time = tp->total_rto_time; ++ if (tp->rto_stamp) { ++ info->tcpi_total_rto_time += tcp_time_stamp_raw() - ++ tp->rto_stamp; ++ } ++ + unlock_sock_fast(sk, slow); + } + EXPORT_SYMBOL_GPL(tcp_get_info); +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 057d39248bec7..d472f7052cd32 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2108,6 +2108,10 @@ void tcp_clear_retrans(struct tcp_sock *tp) + tp->undo_marker = 0; + tp->undo_retrans = -1; + tp->sacked_out = 0; ++ tp->rto_stamp = 0; ++ tp->total_rto = 0; ++ tp->total_rto_recoveries = 0; ++ tp->total_rto_time = 0; + } + + static inline void tcp_init_undo(struct tcp_sock *tp) +@@ -2899,6 +2903,14 @@ void tcp_enter_recovery(struct sock *sk, bool ece_ack) + tcp_set_ca_state(sk, TCP_CA_Recovery); + } + ++static void tcp_update_rto_time(struct tcp_sock *tp) ++{ ++ if (tp->rto_stamp) { ++ tp->total_rto_time += tcp_time_stamp(tp) - tp->rto_stamp; ++ tp->rto_stamp = 0; ++ } ++} ++ + /* Process an ACK in CA_Loss state. Move to CA_Open if lost data are + * recovered or spurious. Otherwise retransmits more on partial ACKs. + */ +@@ -3103,6 +3115,8 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una, + break; + case TCP_CA_Loss: + tcp_process_loss(sk, flag, num_dupack, rexmit); ++ if (icsk->icsk_ca_state != TCP_CA_Loss) ++ tcp_update_rto_time(tp); + tcp_identify_packet_loss(sk, ack_flag); + if (!(icsk->icsk_ca_state == TCP_CA_Open || + (*ack_flag & FLAG_LOST_RETRANS))) +@@ -6541,6 +6555,7 @@ static void tcp_rcv_synrecv_state_fastopen(struct sock *sk) + tcp_try_undo_recovery(sk); + + /* Reset rtx states to prevent spurious retransmits_timed_out() */ ++ tcp_update_rto_time(tp); + tp->retrans_stamp = 0; + inet_csk(sk)->icsk_retransmits = 0; + +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index 0c04c460001f1..cc2b608b1a8e7 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -560,6 +560,10 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, + newtp->undo_marker = treq->snt_isn; + newtp->retrans_stamp = div_u64(treq->snt_synack, + USEC_PER_SEC / TCP_TS_HZ); ++ newtp->total_rto = req->num_timeout; ++ newtp->total_rto_recoveries = 1; ++ newtp->total_rto_time = tcp_time_stamp_raw() - ++ newtp->retrans_stamp; + } + newtp->tsoffset = treq->ts_off; + #ifdef CONFIG_TCP_MD5SIG +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index 64bcf384e9ddc..b65cd417b0f7c 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -411,6 +411,19 @@ abort: tcp_write_err(sk); + } + } + ++static void tcp_update_rto_stats(struct sock *sk) ++{ ++ struct inet_connection_sock *icsk = inet_csk(sk); ++ struct tcp_sock *tp = tcp_sk(sk); ++ ++ if (!icsk->icsk_retransmits) { ++ tp->total_rto_recoveries++; ++ tp->rto_stamp = tcp_time_stamp(tp); ++ } ++ icsk->icsk_retransmits++; ++ tp->total_rto++; ++} ++ + /* + * Timer for Fast Open socket to retransmit SYNACK. Note that the + * sk here is the child socket, not the parent (listener) socket. +@@ -443,7 +456,7 @@ static void tcp_fastopen_synack_timer(struct sock *sk, struct request_sock *req) + */ + inet_rtx_syn_ack(sk, req); + req->num_timeout++; +- icsk->icsk_retransmits++; ++ tcp_update_rto_stats(sk); + if (!tp->retrans_stamp) + tp->retrans_stamp = tcp_time_stamp(tp); + inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, +@@ -586,7 +599,7 @@ void tcp_retransmit_timer(struct sock *sk) + + tcp_enter_loss(sk); + +- icsk->icsk_retransmits++; ++ tcp_update_rto_stats(sk); + if (tcp_retransmit_skb(sk, tcp_rtx_queue_head(sk), 1) > 0) { + /* Retransmission failed because of local congestion, + * Let senders fight for local resources conservatively. +-- +2.43.0 + diff --git a/queue-6.6/thermal-int340x-processor_thermal-set-feature-mask-b.patch b/queue-6.6/thermal-int340x-processor_thermal-set-feature-mask-b.patch new file mode 100644 index 00000000000..51e32de1a53 --- /dev/null +++ b/queue-6.6/thermal-int340x-processor_thermal-set-feature-mask-b.patch @@ -0,0 +1,88 @@ +From 9a598967dd202a2c4ff764cea6c3bf0412b184d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 12:05:34 -0700 +Subject: thermal: int340x: processor_thermal: Set feature mask before + proc_thermal_add + +From: Srinivas Pandruvada + +[ Upstream commit 6ebc25d8b053a208786295bab58abbb66b39c318 ] + +The function proc_thermal_add() adds sysfs entries for power limits. + +The feature mask of available features is not present at that time, so +it cannot be used by proc_thermal_add() to selectively create sysfs +attributes. + +The feature mask is set by proc_thermal_mmio_add(), so modify the code +to call it before proc_thermal_add() so as to allow the latter to use +the feature mask. + +There is no functional impact with this change. + +Signed-off-by: Srinivas Pandruvada +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: 99ca0b57e49f ("thermal: intel: int340x: processor: Fix warning during module unload") +Signed-off-by: Sasha Levin +--- + .../processor_thermal_device_pci.c | 21 +++++++++---------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c b/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c +index 0d1e980072704..e7a0f17cdbe4b 100644 +--- a/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c ++++ b/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c +@@ -223,19 +223,19 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev, const struct pci_device_ + + INIT_DELAYED_WORK(&pci_info->work, proc_thermal_threshold_work_fn); + +- ret = proc_thermal_add(&pdev->dev, proc_priv); +- if (ret) { +- dev_err(&pdev->dev, "error: proc_thermal_add, will continue\n"); +- pci_info->no_legacy = 1; +- } +- + proc_priv->priv_data = pci_info; + pci_info->proc_priv = proc_priv; + pci_set_drvdata(pdev, proc_priv); + + ret = proc_thermal_mmio_add(pdev, proc_priv, id->driver_data); + if (ret) +- goto err_ret_thermal; ++ return ret; ++ ++ ret = proc_thermal_add(&pdev->dev, proc_priv); ++ if (ret) { ++ dev_err(&pdev->dev, "error: proc_thermal_add, will continue\n"); ++ pci_info->no_legacy = 1; ++ } + + psv_trip.temperature = get_trip_temp(pci_info); + +@@ -245,7 +245,7 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev, const struct pci_device_ + &tzone_params, 0, 0); + if (IS_ERR(pci_info->tzone)) { + ret = PTR_ERR(pci_info->tzone); +- goto err_ret_mmio; ++ goto err_del_legacy; + } + + /* request and enable interrupt */ +@@ -276,11 +276,10 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev, const struct pci_device_ + pci_free_irq_vectors(pdev); + err_ret_tzone: + thermal_zone_device_unregister(pci_info->tzone); +-err_ret_mmio: +- proc_thermal_mmio_remove(pdev, proc_priv); +-err_ret_thermal: ++err_del_legacy: + if (!pci_info->no_legacy) + proc_thermal_remove(proc_priv); ++ proc_thermal_mmio_remove(pdev, proc_priv); + pci_disable_device(pdev); + + return ret; +-- +2.43.0 + diff --git a/queue-6.6/thermal-intel-int340x-processor-fix-warning-during-m.patch b/queue-6.6/thermal-intel-int340x-processor-fix-warning-during-m.patch new file mode 100644 index 00000000000..e8c0eeba767 --- /dev/null +++ b/queue-6.6/thermal-intel-int340x-processor-fix-warning-during-m.patch @@ -0,0 +1,82 @@ +From 53a0a4955d0ea9bea340251c91f252c43fb2085b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 16:17:57 +0800 +Subject: thermal: intel: int340x: processor: Fix warning during module unload + +From: Zhang Rui + +[ Upstream commit 99ca0b57e49fb73624eede1c4396d9e3d10ccf14 ] + +The processor_thermal driver uses pcim_device_enable() to enable a PCI +device, which means the device will be automatically disabled on driver +detach. Thus there is no need to call pci_disable_device() again on it. + +With recent PCI device resource management improvements, e.g. commit +f748a07a0b64 ("PCI: Remove legacy pcim_release()"), this problem is +exposed and triggers the warining below. + + [ 224.010735] proc_thermal_pci 0000:00:04.0: disabling already-disabled device + [ 224.010747] WARNING: CPU: 8 PID: 4442 at drivers/pci/pci.c:2250 pci_disable_device+0xe5/0x100 + ... + [ 224.010844] Call Trace: + [ 224.010845] + [ 224.010847] ? show_regs+0x6d/0x80 + [ 224.010851] ? __warn+0x8c/0x140 + [ 224.010854] ? pci_disable_device+0xe5/0x100 + [ 224.010856] ? report_bug+0x1c9/0x1e0 + [ 224.010859] ? handle_bug+0x46/0x80 + [ 224.010862] ? exc_invalid_op+0x1d/0x80 + [ 224.010863] ? asm_exc_invalid_op+0x1f/0x30 + [ 224.010867] ? pci_disable_device+0xe5/0x100 + [ 224.010869] ? pci_disable_device+0xe5/0x100 + [ 224.010871] ? kfree+0x21a/0x2b0 + [ 224.010873] pcim_disable_device+0x20/0x30 + [ 224.010875] devm_action_release+0x16/0x20 + [ 224.010878] release_nodes+0x47/0xc0 + [ 224.010880] devres_release_all+0x9f/0xe0 + [ 224.010883] device_unbind_cleanup+0x12/0x80 + [ 224.010885] device_release_driver_internal+0x1ca/0x210 + [ 224.010887] driver_detach+0x4e/0xa0 + [ 224.010889] bus_remove_driver+0x6f/0xf0 + [ 224.010890] driver_unregister+0x35/0x60 + [ 224.010892] pci_unregister_driver+0x44/0x90 + [ 224.010894] proc_thermal_pci_driver_exit+0x14/0x5f0 [processor_thermal_device_pci] + ... + [ 224.010921] ---[ end trace 0000000000000000 ]--- + +Remove the excess pci_disable_device() calls. + +Fixes: acd65d5d1cf4 ("thermal/drivers/int340x/processor_thermal: Add PCI MMIO based thermal driver") +Signed-off-by: Zhang Rui +Reviewed-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20240930081801.28502-3-rui.zhang@intel.com +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + .../intel/int340x_thermal/processor_thermal_device_pci.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c b/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c +index e7a0f17cdbe4b..24eaec5d095c1 100644 +--- a/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c ++++ b/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c +@@ -280,7 +280,6 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev, const struct pci_device_ + if (!pci_info->no_legacy) + proc_thermal_remove(proc_priv); + proc_thermal_mmio_remove(pdev, proc_priv); +- pci_disable_device(pdev); + + return ret; + } +@@ -302,7 +301,6 @@ static void proc_thermal_pci_remove(struct pci_dev *pdev) + proc_thermal_mmio_remove(pdev, pci_info->proc_priv); + if (!pci_info->no_legacy) + proc_thermal_remove(proc_priv); +- pci_disable_device(pdev); + } + + #ifdef CONFIG_PM_SLEEP +-- +2.43.0 + diff --git a/queue-6.6/vxlan-handle-error-of-rtnl_register_module.patch b/queue-6.6/vxlan-handle-error-of-rtnl_register_module.patch new file mode 100644 index 00000000000..c067524ee2a --- /dev/null +++ b/queue-6.6/vxlan-handle-error-of-rtnl_register_module.patch @@ -0,0 +1,98 @@ +From 6cac8c2743f902df4fdd4cd585a4319a40e9e21f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 11:47:33 -0700 +Subject: vxlan: Handle error of rtnl_register_module(). + +From: Kuniyuki Iwashima + +[ Upstream commit 78b7b991838a4a6baeaad934addc4db2c5917eb8 ] + +Since introduced, vxlan_vnifilter_init() has been ignoring the +returned value of rtnl_register_module(), which could fail silently. + +Handling the error allows users to view a module as an all-or-nothing +thing in terms of the rtnetlink functionality. This prevents syzkaller +from reporting spurious errors from its tests, where OOM often occurs +and module is automatically loaded. + +Let's handle the errors by rtnl_register_many(). + +Fixes: f9c4bb0b245c ("vxlan: vni filtering support on collect metadata device") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 6 +++++- + drivers/net/vxlan/vxlan_private.h | 2 +- + drivers/net/vxlan/vxlan_vnifilter.c | 19 +++++++++---------- + 3 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 8268fa331826e..c114c91b558bd 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -4819,9 +4819,13 @@ static int __init vxlan_init_module(void) + if (rc) + goto out4; + +- vxlan_vnifilter_init(); ++ rc = vxlan_vnifilter_init(); ++ if (rc) ++ goto out5; + + return 0; ++out5: ++ rtnl_link_unregister(&vxlan_link_ops); + out4: + unregister_switchdev_notifier(&vxlan_switchdev_notifier_block); + out3: +diff --git a/drivers/net/vxlan/vxlan_private.h b/drivers/net/vxlan/vxlan_private.h +index 817fa3075842e..85b6d0c347e3b 100644 +--- a/drivers/net/vxlan/vxlan_private.h ++++ b/drivers/net/vxlan/vxlan_private.h +@@ -202,7 +202,7 @@ int vxlan_vni_in_use(struct net *src_net, struct vxlan_dev *vxlan, + int vxlan_vnigroup_init(struct vxlan_dev *vxlan); + void vxlan_vnigroup_uninit(struct vxlan_dev *vxlan); + +-void vxlan_vnifilter_init(void); ++int vxlan_vnifilter_init(void); + void vxlan_vnifilter_uninit(void); + void vxlan_vnifilter_count(struct vxlan_dev *vxlan, __be32 vni, + struct vxlan_vni_node *vninode, +diff --git a/drivers/net/vxlan/vxlan_vnifilter.c b/drivers/net/vxlan/vxlan_vnifilter.c +index 9c59d0bf8c3de..d2023e7131bd4 100644 +--- a/drivers/net/vxlan/vxlan_vnifilter.c ++++ b/drivers/net/vxlan/vxlan_vnifilter.c +@@ -992,19 +992,18 @@ static int vxlan_vnifilter_process(struct sk_buff *skb, struct nlmsghdr *nlh, + return err; + } + +-void vxlan_vnifilter_init(void) ++static const struct rtnl_msg_handler vxlan_vnifilter_rtnl_msg_handlers[] = { ++ {THIS_MODULE, PF_BRIDGE, RTM_GETTUNNEL, NULL, vxlan_vnifilter_dump, 0}, ++ {THIS_MODULE, PF_BRIDGE, RTM_NEWTUNNEL, vxlan_vnifilter_process, NULL, 0}, ++ {THIS_MODULE, PF_BRIDGE, RTM_DELTUNNEL, vxlan_vnifilter_process, NULL, 0}, ++}; ++ ++int vxlan_vnifilter_init(void) + { +- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_GETTUNNEL, NULL, +- vxlan_vnifilter_dump, 0); +- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_NEWTUNNEL, +- vxlan_vnifilter_process, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_DELTUNNEL, +- vxlan_vnifilter_process, NULL, 0); ++ return rtnl_register_many(vxlan_vnifilter_rtnl_msg_handlers); + } + + void vxlan_vnifilter_uninit(void) + { +- rtnl_unregister(PF_BRIDGE, RTM_GETTUNNEL); +- rtnl_unregister(PF_BRIDGE, RTM_NEWTUNNEL); +- rtnl_unregister(PF_BRIDGE, RTM_DELTUNNEL); ++ rtnl_unregister_many(vxlan_vnifilter_rtnl_msg_handlers); + } +-- +2.43.0 + diff --git a/queue-6.6/x86-amd_nb-add-new-pci-ids-for-amd-family-0x1a.patch b/queue-6.6/x86-amd_nb-add-new-pci-ids-for-amd-family-0x1a.patch new file mode 100644 index 00000000000..925f00616de --- /dev/null +++ b/queue-6.6/x86-amd_nb-add-new-pci-ids-for-amd-family-0x1a.patch @@ -0,0 +1,51 @@ +From d21c193e31fea86fe8ebe172f92f7983bac12bf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 16:48:28 +0530 +Subject: x86/amd_nb: Add new PCI IDs for AMD family 0x1a + +From: Shyam Sundar S K + +[ Upstream commit 0e640f0a47d8426eab1fb9c03f0af898dfe810b8 ] + +Add the new PCI Device IDs to the MISC IDs list to support new +generation of AMD 1Ah family 70h Models of processors. + + [ bp: Massage commit message. ] + +Signed-off-by: Shyam Sundar S K +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20240510111829.969501-1-Shyam-sundar.S-k@amd.com +Stable-dep-of: 59c34008d3bd ("x86/amd_nb: Add new PCI IDs for AMD family 1Ah model 60h") +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/amd_nb.c | 1 + + include/linux/pci_ids.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c +index 6f1cc7f1b202a..8a1a6faf29658 100644 +--- a/arch/x86/kernel/amd_nb.c ++++ b/arch/x86/kernel/amd_nb.c +@@ -92,6 +92,7 @@ static const struct pci_device_id amd_nb_misc_ids[] = { + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_19H_M78H_DF_F3) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M00H_DF_F3) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M20H_DF_F3) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M70H_DF_F3) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_MI200_DF_F3) }, + {} + }; +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index cebfd1bb9dfa1..f195ebc3ecb57 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -580,6 +580,7 @@ + #define PCI_DEVICE_ID_AMD_19H_M78H_DF_F3 0x12fb + #define PCI_DEVICE_ID_AMD_1AH_M00H_DF_F3 0x12c3 + #define PCI_DEVICE_ID_AMD_1AH_M20H_DF_F3 0x16fb ++#define PCI_DEVICE_ID_AMD_1AH_M70H_DF_F3 0x12bb + #define PCI_DEVICE_ID_AMD_MI200_DF_F3 0x14d3 + #define PCI_DEVICE_ID_AMD_VANGOGH_USB 0x163a + #define PCI_DEVICE_ID_AMD_CNB17H_F3 0x1703 +-- +2.43.0 + diff --git a/queue-6.6/x86-amd_nb-add-new-pci-ids-for-amd-family-1ah-model-.patch b/queue-6.6/x86-amd_nb-add-new-pci-ids-for-amd-family-1ah-model-.patch new file mode 100644 index 00000000000..34741f5174e --- /dev/null +++ b/queue-6.6/x86-amd_nb-add-new-pci-ids-for-amd-family-1ah-model-.patch @@ -0,0 +1,79 @@ +From 9d1a9d22b654a5828da663256c51118f53ea62cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 14:58:01 +0530 +Subject: x86/amd_nb: Add new PCI IDs for AMD family 1Ah model 60h + +From: Shyam Sundar S K + +[ Upstream commit 59c34008d3bdeef4c8ebc0ed2426109b474334d4 ] + +Add new PCI device IDs into the root IDs and miscellaneous IDs lists to +provide support for the latest generation of AMD 1Ah family 60h processor +models. + +Signed-off-by: Shyam Sundar S K +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Yazen Ghannam +Link: https://lore.kernel.org/r/20240722092801.3480266-1-Shyam-sundar.S-k@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/amd_nb.c | 3 +++ + drivers/hwmon/k10temp.c | 1 + + include/linux/pci_ids.h | 1 + + 3 files changed, 5 insertions(+) + +diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c +index 8a1a6faf29658..6dabb53f58a44 100644 +--- a/arch/x86/kernel/amd_nb.c ++++ b/arch/x86/kernel/amd_nb.c +@@ -26,6 +26,7 @@ + #define PCI_DEVICE_ID_AMD_19H_M70H_ROOT 0x14e8 + #define PCI_DEVICE_ID_AMD_1AH_M00H_ROOT 0x153a + #define PCI_DEVICE_ID_AMD_1AH_M20H_ROOT 0x1507 ++#define PCI_DEVICE_ID_AMD_1AH_M60H_ROOT 0x1122 + #define PCI_DEVICE_ID_AMD_MI200_ROOT 0x14bb + + #define PCI_DEVICE_ID_AMD_17H_DF_F4 0x1464 +@@ -61,6 +62,7 @@ static const struct pci_device_id amd_root_ids[] = { + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_19H_M70H_ROOT) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M00H_ROOT) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M20H_ROOT) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M60H_ROOT) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_MI200_ROOT) }, + {} + }; +@@ -92,6 +94,7 @@ static const struct pci_device_id amd_nb_misc_ids[] = { + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_19H_M78H_DF_F3) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M00H_DF_F3) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M20H_DF_F3) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M60H_DF_F3) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M70H_DF_F3) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_MI200_DF_F3) }, + {} +diff --git a/drivers/hwmon/k10temp.c b/drivers/hwmon/k10temp.c +index ae0f454c305d6..c906731c6c2d3 100644 +--- a/drivers/hwmon/k10temp.c ++++ b/drivers/hwmon/k10temp.c +@@ -545,6 +545,7 @@ static const struct pci_device_id k10temp_id_table[] = { + { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_19H_M78H_DF_F3) }, + { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_1AH_M00H_DF_F3) }, + { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_1AH_M20H_DF_F3) }, ++ { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_1AH_M60H_DF_F3) }, + { PCI_VDEVICE(HYGON, PCI_DEVICE_ID_AMD_17H_DF_F3) }, + {} + }; +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index f195ebc3ecb57..3dce2be622e74 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -580,6 +580,7 @@ + #define PCI_DEVICE_ID_AMD_19H_M78H_DF_F3 0x12fb + #define PCI_DEVICE_ID_AMD_1AH_M00H_DF_F3 0x12c3 + #define PCI_DEVICE_ID_AMD_1AH_M20H_DF_F3 0x16fb ++#define PCI_DEVICE_ID_AMD_1AH_M60H_DF_F3 0x124b + #define PCI_DEVICE_ID_AMD_1AH_M70H_DF_F3 0x12bb + #define PCI_DEVICE_ID_AMD_MI200_DF_F3 0x14d3 + #define PCI_DEVICE_ID_AMD_VANGOGH_USB 0x163a +-- +2.43.0 +