From 10e27b466e576509b8f66a14468ad51a536b49ee Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 22 May 2023 07:45:35 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...tional-tunnel-beet-mode-templates-in.patch | 71 +++++++ ...gi00x-prevent-potential-use-after-fr.patch | 41 ++++ ...-apply-hp-b-o-top-speaker-profile-to.patch | 39 ++++ ...idge-always-declare-tunnel-functions.patch | 61 ++++++ ...mory-leak-in-the-error-handling-path.patch | 42 ++++ ...e-tsc-read-per-cpu-for-mperf-monitor.patch | 159 ++++++++++++++ ...2d_open-close-helper-function-defini.patch | 48 +++++ ...nregister-audio-driver-during-unbind.patch | 81 +++++++ ...ve-duplicate-register-defines-from-i.patch | 45 ++++ ...roto-with-the-md-version-for-collect.patch | 81 +++++++ ...igb-fix-bit_shift-to-be-in-1.8-range.patch | 50 +++++ ...tcp-do-not-use-per-netns-ctl-sockets.patch | 178 ++++++++++++++++ ...idvb-fix-use-after-free-at-del_timer.patch | 49 +++++ ...ove-phy_stop-from-bcmgenet_netif_sto.patch | 37 ++++ ...tore-phy_stop-depending-upon-suspend.patch | 71 +++++++ ...andle-pm_runtime_get-failing-in-.rem.patch | 67 ++++++ ...dst-with-sk-s-xfrm-policy-not-ctl_sk.patch | 119 +++++++++++ ...et-delay-time-to-avoid-configuration.patch | 44 ++++ ...sending-pfc-frames-after-reset-issue.patch | 91 ++++++++ ...ect-mac_offset-to-unwind-gso-skb-in-.patch | 101 +++++++++ ...add-w-a-for-packet-errors-seen-with-.patch | 77 +++++++ ...fix-tipc-header-files-for-kernel-doc.patch | 200 ++++++++++++++++++ ...t_rbtree-fix-null-deref-on-element-i.patch | 88 ++++++++ ...frm-i-support-for-nested-esp-tunnels.patch | 125 +++++++++++ ...n-t-pass-unused-pfns-to-hyper-v-host.patch | 65 ++++++ ...fix-of_iomap-leak-in-arc_serial_prob.patch | 51 +++++ queue-5.10/series | 36 ++++ ...rpc-fix-trace_svc_register-call-site.patch | 35 +++ ...-sk_priority-leak-in-tcp_v4_send_res.patch | 62 ++++++ ..._bearer_min_mtu-to-calculate-min-mtu.patch | 105 +++++++++ ...earer-min-mtu-properly-when-setting-.patch | 45 ++++ ...te-mtu-if-msg_max-is-too-small-in-mt.patch | 92 ++++++++ ...tial-uninit-value-in-vlan_dev_hard_s.patch | 93 ++++++++ ...lose-connected-socket-after-the-time.patch | 54 +++++ ...-mvm-don-t-trust-firmware-n_channels.patch | 60 ++++++ ...1-fix-min-center-freq-offset-tracing.patch | 39 ++++ ...-the-default-policy-if-the-policy-al.patch | 49 +++++ 37 files changed, 2751 insertions(+) create mode 100644 queue-5.10/af_key-reject-optional-tunnel-beet-mode-templates-in.patch create mode 100644 queue-5.10/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch create mode 100644 queue-5.10/alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch create mode 100644 queue-5.10/bridge-always-declare-tunnel-functions.patch create mode 100644 queue-5.10/cassini-fix-a-memory-leak-in-the-error-handling-path.patch create mode 100644 queue-5.10/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch create mode 100644 queue-5.10/drm-exynos-fix-g2d_open-close-helper-function-defini.patch create mode 100644 queue-5.10/drm-msm-dp-unregister-audio-driver-during-unbind.patch create mode 100644 queue-5.10/drm-msm-dpu-remove-duplicate-register-defines-from-i.patch create mode 100644 queue-5.10/erspan-get-the-proto-with-the-md-version-for-collect.patch create mode 100644 queue-5.10/igb-fix-bit_shift-to-be-in-1.8-range.patch create mode 100644 queue-5.10/ipv4-tcp-do-not-use-per-netns-ctl-sockets.patch create mode 100644 queue-5.10/media-netup_unidvb-fix-use-after-free-at-del_timer.patch create mode 100644 queue-5.10/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch create mode 100644 queue-5.10/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch create mode 100644 queue-5.10/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch create mode 100644 queue-5.10/net-find-dst-with-sk-s-xfrm-policy-not-ctl_sk.patch create mode 100644 queue-5.10/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch create mode 100644 queue-5.10/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch create mode 100644 queue-5.10/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch create mode 100644 queue-5.10/net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch create mode 100644 queue-5.10/net-tipc-fix-tipc-header-files-for-kernel-doc.patch create mode 100644 queue-5.10/netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch create mode 100644 queue-5.10/revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch create mode 100644 queue-5.10/scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch create mode 100644 queue-5.10/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch create mode 100644 queue-5.10/sunrpc-fix-trace_svc_register-call-site.patch create mode 100644 queue-5.10/tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch create mode 100644 queue-5.10/tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch create mode 100644 queue-5.10/tipc-check-the-bearer-min-mtu-properly-when-setting-.patch create mode 100644 queue-5.10/tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch create mode 100644 queue-5.10/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch create mode 100644 queue-5.10/vsock-avoid-to-close-connected-socket-after-the-time.patch create mode 100644 queue-5.10/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch create mode 100644 queue-5.10/wifi-mac80211-fix-min-center-freq-offset-tracing.patch create mode 100644 queue-5.10/xfrm-don-t-check-the-default-policy-if-the-policy-al.patch diff --git a/queue-5.10/af_key-reject-optional-tunnel-beet-mode-templates-in.patch b/queue-5.10/af_key-reject-optional-tunnel-beet-mode-templates-in.patch new file mode 100644 index 00000000000..519c05dd522 --- /dev/null +++ b/queue-5.10/af_key-reject-optional-tunnel-beet-mode-templates-in.patch @@ -0,0 +1,71 @@ +From 91f125d6434be8502ea85afcd2f9e1f4017203e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 11:00:06 +0200 +Subject: af_key: Reject optional tunnel/BEET mode templates in outbound + policies + +From: Tobias Brunner + +[ Upstream commit cf3128a7aca55b2eefb68281d44749c683bdc96f ] + +xfrm_state_find() uses `encap_family` of the current template with +the passed local and remote addresses to find a matching state. +If an optional tunnel or BEET mode template is skipped in a mixed-family +scenario, there could be a mismatch causing an out-of-bounds read as +the addresses were not replaced to match the family of the next template. + +While there are theoretical use cases for optional templates in outbound +policies, the only practical one is to skip IPComp states in inbound +policies if uncompressed packets are received that are handled by an +implicitly created IPIP state instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tobias Brunner +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 8bc7d399987b2..fff2bd5f03e37 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1944,7 +1944,8 @@ static u32 gen_reqid(struct net *net) + } + + static int +-parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) ++parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_policy *pol, ++ struct sadb_x_ipsecrequest *rq) + { + struct net *net = xp_net(xp); + struct xfrm_tmpl *t = xp->xfrm_vec + xp->xfrm_nr; +@@ -1962,9 +1963,12 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) + if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0) + return -EINVAL; + t->mode = mode; +- if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) ++ if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) { ++ if ((mode == XFRM_MODE_TUNNEL || mode == XFRM_MODE_BEET) && ++ pol->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND) ++ return -EINVAL; + t->optional = 1; +- else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { ++ } else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { + t->reqid = rq->sadb_x_ipsecrequest_reqid; + if (t->reqid > IPSEC_MANUAL_REQID_MAX) + t->reqid = 0; +@@ -2006,7 +2010,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol) + rq->sadb_x_ipsecrequest_len < sizeof(*rq)) + return -EINVAL; + +- if ((err = parse_ipsecrequest(xp, rq)) < 0) ++ if ((err = parse_ipsecrequest(xp, pol, rq)) < 0) + return err; + len -= rq->sadb_x_ipsecrequest_len; + rq = (void*)((u8*)rq + rq->sadb_x_ipsecrequest_len); +-- +2.39.2 + diff --git a/queue-5.10/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch b/queue-5.10/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch new file mode 100644 index 00000000000..27a2e136ae3 --- /dev/null +++ b/queue-5.10/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch @@ -0,0 +1,41 @@ +From 7ac5af7f876125b9cfde6582c5ccda383dc5ecda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 12:07:11 +0300 +Subject: ALSA: firewire-digi00x: prevent potential use after free + +From: Dan Carpenter + +[ Upstream commit c0e72058d5e21982e61a29de6b098f7c1f0db498 ] + +This code was supposed to return an error code if init_stream() +failed, but it instead freed dg00x->rx_stream and returned success. +This potentially leads to a use after free. + +Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/c224cbd5-d9e2-4cd4-9bcf-2138eb1d35c6@kili.mountain +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/digi00x/digi00x-stream.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/firewire/digi00x/digi00x-stream.c b/sound/firewire/digi00x/digi00x-stream.c +index 405d6903bfbc3..62a54f5ab84d7 100644 +--- a/sound/firewire/digi00x/digi00x-stream.c ++++ b/sound/firewire/digi00x/digi00x-stream.c +@@ -259,8 +259,10 @@ int snd_dg00x_stream_init_duplex(struct snd_dg00x *dg00x) + return err; + + err = init_stream(dg00x, &dg00x->tx_stream); +- if (err < 0) ++ if (err < 0) { + destroy_stream(dg00x, &dg00x->rx_stream); ++ return err; ++ } + + err = amdtp_domain_init(&dg00x->domain); + if (err < 0) { +-- +2.39.2 + diff --git a/queue-5.10/alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch b/queue-5.10/alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch new file mode 100644 index 00000000000..27363791f36 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch @@ -0,0 +1,39 @@ +From 2dc0d30fde6e1a98c5e812e7612b86ccb9907485 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 12:32:21 -0500 +Subject: ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15 + +From: Ryan C. Underwood + +[ Upstream commit 92553ee03166ef8fa978e7683f9f4af30c9c4e6b ] + +The Pavilion 15 line has B&O top speakers similar to the x360 and +applying the same profile produces good sound. Without this, the +sound would be tinny and underpowered without either applying +model=alc295-hp-x360 or booting another OS first. + +Signed-off-by: Ryan Underwood +Fixes: 563785edfcef ("ALSA: hda/realtek - Add quirk entry for HP Pavilion 15") +Link: https://lore.kernel.org/r/ZF0mpcMz3ezP9KQw@icequake.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 18309fa17fb87..c7e25d19c9d92 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8944,7 +8944,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x802f, "HP Z240", ALC221_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x8077, "HP", ALC256_FIXUP_HP_HEADSET_MIC), + SND_PCI_QUIRK(0x103c, 0x8158, "HP", ALC256_FIXUP_HP_HEADSET_MIC), +- SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), ++ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC295_FIXUP_HP_X360), + SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC), + SND_PCI_QUIRK(0x103c, 0x827e, "HP x360", ALC295_FIXUP_HP_X360), + SND_PCI_QUIRK(0x103c, 0x827f, "HP x360", ALC269_FIXUP_HP_MUTE_LED_MIC3), +-- +2.39.2 + diff --git a/queue-5.10/bridge-always-declare-tunnel-functions.patch b/queue-5.10/bridge-always-declare-tunnel-functions.patch new file mode 100644 index 00000000000..891a8b27ed4 --- /dev/null +++ b/queue-5.10/bridge-always-declare-tunnel-functions.patch @@ -0,0 +1,61 @@ +From b06331a073966c4bd42f0e07aaeb9eccfd8a3131 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 21:45:35 +0200 +Subject: bridge: always declare tunnel functions + +From: Arnd Bergmann + +[ Upstream commit 89dcd87ce534a3a7f267cfd58505803006f51301 ] + +When CONFIG_BRIDGE_VLAN_FILTERING is disabled, two functions are still +defined but have no prototype or caller. This causes a W=1 warning for +the missing prototypes: + +net/bridge/br_netlink_tunnel.c:29:6: error: no previous prototype for 'vlan_tunid_inrange' [-Werror=missing-prototypes] +net/bridge/br_netlink_tunnel.c:199:5: error: no previous prototype for 'br_vlan_tunnel_info' [-Werror=missing-prototypes] + +The functions are already contitional on CONFIG_BRIDGE_VLAN_FILTERING, +and I coulnd't easily figure out the right set of #ifdefs, so just +move the declarations out of the #ifdef to avoid the warning, +at a small cost in code size over a more elaborate fix. + +Fixes: 188c67dd1906 ("net: bridge: vlan options: add support for tunnel id dumping") +Fixes: 569da0822808 ("net: bridge: vlan options: add support for tunnel mapping set/del") +Signed-off-by: Arnd Bergmann +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20230516194625.549249-3-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_private_tunnel.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_private_tunnel.h b/net/bridge/br_private_tunnel.h +index c54cc26211d7c..f6c65dc088d60 100644 +--- a/net/bridge/br_private_tunnel.h ++++ b/net/bridge/br_private_tunnel.h +@@ -27,6 +27,10 @@ int br_process_vlan_tunnel_info(const struct net_bridge *br, + int br_get_vlan_tunnel_info_size(struct net_bridge_vlan_group *vg); + int br_fill_vlan_tunnel_info(struct sk_buff *skb, + struct net_bridge_vlan_group *vg); ++bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr, ++ const struct net_bridge_vlan *v_last); ++int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd, ++ u16 vid, u32 tun_id, bool *changed); + + #ifdef CONFIG_BRIDGE_VLAN_FILTERING + /* br_vlan_tunnel.c */ +@@ -43,10 +47,6 @@ int br_handle_ingress_vlan_tunnel(struct sk_buff *skb, + struct net_bridge_vlan_group *vg); + int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + struct net_bridge_vlan *vlan); +-bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr, +- const struct net_bridge_vlan *v_last); +-int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd, +- u16 vid, u32 tun_id, bool *changed); + #else + static inline int vlan_tunnel_init(struct net_bridge_vlan_group *vg) + { +-- +2.39.2 + diff --git a/queue-5.10/cassini-fix-a-memory-leak-in-the-error-handling-path.patch b/queue-5.10/cassini-fix-a-memory-leak-in-the-error-handling-path.patch new file mode 100644 index 00000000000..29356b1a2ae --- /dev/null +++ b/queue-5.10/cassini-fix-a-memory-leak-in-the-error-handling-path.patch @@ -0,0 +1,42 @@ +From 312f382dfbc60b2861b0b1298c24e0b08cfd1e59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:09:11 +0200 +Subject: cassini: Fix a memory leak in the error handling path of + cas_init_one() + +From: Christophe JAILLET + +[ Upstream commit 412cd77a2c24b191c65ea53025222418db09817c ] + +cas_saturn_firmware_init() allocates some memory using vmalloc(). This +memory is freed in the .remove() function but not it the error handling +path of the probe. + +Add the missing vfree() to avoid a memory leak, should an error occur. + +Fixes: fcaa40669cd7 ("cassini: use request_firmware") +Signed-off-by: Christophe JAILLET +Reviewed-by: Pavan Chebbi +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/cassini.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/sun/cassini.c b/drivers/net/ethernet/sun/cassini.c +index 9ff894ba8d3ea..d245f6e21e8ca 100644 +--- a/drivers/net/ethernet/sun/cassini.c ++++ b/drivers/net/ethernet/sun/cassini.c +@@ -5122,6 +5122,8 @@ static int cas_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + cas_shutdown(cp); + mutex_unlock(&cp->pm_mutex); + ++ vfree(cp->fw_data); ++ + pci_iounmap(pdev, cp->regs); + + +-- +2.39.2 + diff --git a/queue-5.10/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch b/queue-5.10/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch new file mode 100644 index 00000000000..bd2a15fef60 --- /dev/null +++ b/queue-5.10/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch @@ -0,0 +1,159 @@ +From 110a65b2525ddd2700789ebf279ef31648d7ab26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 06:25:44 +0000 +Subject: cpupower: Make TSC read per CPU for Mperf monitor + +From: Wyes Karny + +[ Upstream commit c2adb1877b76fc81ae041e1db1a6ed2078c6746b ] + +System-wide TSC read could cause a drift in C0 percentage calculation. +Because if first TSC is read and then one by one mperf is read for all +cpus, this introduces drift between mperf reading of later CPUs and TSC +reading. To lower this drift read TSC per CPU and also just after mperf +read. This technique improves C0 percentage calculation in Mperf monitor. + +Before fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 0| 256| 84.62| 15.38| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 1| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 257| 84.08| 15.92| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 2| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 258| 83.26| 16.74| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 3| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 259| 83.60| 16.40| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 4| 86.33| 13.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 260| 83.33| 16.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 5| 86.06| 13.94| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 261| 83.05| 16.95| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 6| 6| 85.51| 14.49| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + +After fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 98.03| 1.97| 2415||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 0| 256| 98.50| 1.50| 2394||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 1| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 257| 99.99| 0.01| 2375||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 2| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 258|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 3|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 259| 99.99| 0.01| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 4|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 260|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 5| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 261|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 6|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 262|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + +Cc: Thomas Renninger +Cc: Shuah Khan +Cc: Dominik Brodowski + +Fixes: 7fe2f6399a84 ("cpupowerutils - cpufrequtils extended with quite some features") +Signed-off-by: Wyes Karny +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../utils/idle_monitor/mperf_monitor.c | 31 +++++++++---------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +index e7d48cb563c0e..ae6af354a81db 100644 +--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c ++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +@@ -70,8 +70,8 @@ static int max_freq_mode; + */ + static unsigned long max_frequency; + +-static unsigned long long tsc_at_measure_start; +-static unsigned long long tsc_at_measure_end; ++static unsigned long long *tsc_at_measure_start; ++static unsigned long long *tsc_at_measure_end; + static unsigned long long *mperf_previous_count; + static unsigned long long *aperf_previous_count; + static unsigned long long *mperf_current_count; +@@ -169,7 +169,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent, + aperf_diff = aperf_current_count[cpu] - aperf_previous_count[cpu]; + + if (max_freq_mode == MAX_FREQ_TSC_REF) { +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + *percent = 100.0 * mperf_diff / tsc_diff; + dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n", + mperf_cstates[id].name, mperf_diff, tsc_diff); +@@ -206,7 +206,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + + if (max_freq_mode == MAX_FREQ_TSC_REF) { + /* Calculate max_freq from TSC count */ +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + time_diff = timespec_diff_us(time_start, time_end); + max_frequency = tsc_diff / time_diff; + } +@@ -225,33 +225,27 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + static int mperf_start(void) + { + int cpu; +- unsigned long long dbg; + + clock_gettime(CLOCK_REALTIME, &time_start); +- mperf_get_tsc(&tsc_at_measure_start); + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { ++ mperf_get_tsc(&tsc_at_measure_start[cpu]); + mperf_init_stats(cpu); ++ } + +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_start); + return 0; + } + + static int mperf_stop(void) + { +- unsigned long long dbg; + int cpu; + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { + mperf_measure_stats(cpu); ++ mperf_get_tsc(&tsc_at_measure_end[cpu]); ++ } + +- mperf_get_tsc(&tsc_at_measure_end); + clock_gettime(CLOCK_REALTIME, &time_end); +- +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_end); +- + return 0; + } + +@@ -353,7 +347,8 @@ struct cpuidle_monitor *mperf_register(void) + aperf_previous_count = calloc(cpu_count, sizeof(unsigned long long)); + mperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); + aperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); +- ++ tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long)); ++ tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long)); + mperf_monitor.name_len = strlen(mperf_monitor.name); + return &mperf_monitor; + } +@@ -364,6 +359,8 @@ void mperf_unregister(void) + free(aperf_previous_count); + free(mperf_current_count); + free(aperf_current_count); ++ free(tsc_at_measure_start); ++ free(tsc_at_measure_end); + free(is_valid); + } + +-- +2.39.2 + diff --git a/queue-5.10/drm-exynos-fix-g2d_open-close-helper-function-defini.patch b/queue-5.10/drm-exynos-fix-g2d_open-close-helper-function-defini.patch new file mode 100644 index 00000000000..6f81cae87e8 --- /dev/null +++ b/queue-5.10/drm-exynos-fix-g2d_open-close-helper-function-defini.patch @@ -0,0 +1,48 @@ +From 875204bb777165871a8cdffa17dc3b0e0b019bdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 23:04:11 +0200 +Subject: drm/exynos: fix g2d_open/close helper function definitions + +From: Arnd Bergmann + +[ Upstream commit 2ef0785b30bd6549ddbc124979f1b6596e065ae2 ] + +The empty stub functions are defined as global functions, which +causes a warning because of missing prototypes: + +drivers/gpu/drm/exynos/exynos_drm_g2d.h:37:5: error: no previous prototype for 'g2d_open' +drivers/gpu/drm/exynos/exynos_drm_g2d.h:42:5: error: no previous prototype for 'g2d_close' + +Mark them as 'static inline' to avoid the warning and to make +them behave as intended. + +Fixes: eb4d9796fa34 ("drm/exynos: g2d: Convert to driver component API") +Signed-off-by: Arnd Bergmann +Reviewed-by: Andi Shyti +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.h b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +index 74ea3c26deadc..1a5ae781b56c6 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.h ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +@@ -34,11 +34,11 @@ static inline int exynos_g2d_exec_ioctl(struct drm_device *dev, void *data, + return -ENODEV; + } + +-int g2d_open(struct drm_device *drm_dev, struct drm_file *file) ++static inline int g2d_open(struct drm_device *drm_dev, struct drm_file *file) + { + return 0; + } + +-void g2d_close(struct drm_device *drm_dev, struct drm_file *file) ++static inline void g2d_close(struct drm_device *drm_dev, struct drm_file *file) + { } + #endif +-- +2.39.2 + diff --git a/queue-5.10/drm-msm-dp-unregister-audio-driver-during-unbind.patch b/queue-5.10/drm-msm-dp-unregister-audio-driver-during-unbind.patch new file mode 100644 index 00000000000..b18e367bfd2 --- /dev/null +++ b/queue-5.10/drm-msm-dp-unregister-audio-driver-during-unbind.patch @@ -0,0 +1,81 @@ +From 7621cd17e843523f6b3a8b49325e3a2cfce378f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 15:56:57 +0100 +Subject: drm/msm/dp: unregister audio driver during unbind + +From: Srinivas Kandagatla + +[ Upstream commit 85c636284cb63b7740b4ae98881ace92158068d3 ] + +while binding the code always registers a audio driver, however there +is no corresponding unregistration done in unbind. This leads to multiple +redundant audio platform devices if dp_display_bind and dp_display_unbind +happens multiple times during startup. On X13s platform this resulted in +6 to 9 audio codec device instead of just 3 codec devices for 3 dp ports. + +Fix this by unregistering codecs on unbind. + +Signed-off-by: Srinivas Kandagatla +Fixes: d13e36d7d222 ("drm/msm/dp: add audio support for Display Port on MSM") +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/533324/ +Link: https://lore.kernel.org/r/20230421145657.12186-1-srinivas.kandagatla@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_audio.c | 12 ++++++++++++ + drivers/gpu/drm/msm/dp/dp_audio.h | 2 ++ + drivers/gpu/drm/msm/dp/dp_display.c | 1 + + 3 files changed, 15 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dp/dp_audio.c b/drivers/gpu/drm/msm/dp/dp_audio.c +index d7e4a39a904e2..0eaaaa94563a3 100644 +--- a/drivers/gpu/drm/msm/dp/dp_audio.c ++++ b/drivers/gpu/drm/msm/dp/dp_audio.c +@@ -577,6 +577,18 @@ static struct hdmi_codec_pdata codec_data = { + .i2s = 1, + }; + ++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio) ++{ ++ struct dp_audio_private *audio_priv; ++ ++ audio_priv = container_of(dp_audio, struct dp_audio_private, dp_audio); ++ ++ if (audio_priv->audio_pdev) { ++ platform_device_unregister(audio_priv->audio_pdev); ++ audio_priv->audio_pdev = NULL; ++ } ++} ++ + int dp_register_audio_driver(struct device *dev, + struct dp_audio *dp_audio) + { +diff --git a/drivers/gpu/drm/msm/dp/dp_audio.h b/drivers/gpu/drm/msm/dp/dp_audio.h +index 84e5f4a5d26ba..4ab78880af829 100644 +--- a/drivers/gpu/drm/msm/dp/dp_audio.h ++++ b/drivers/gpu/drm/msm/dp/dp_audio.h +@@ -53,6 +53,8 @@ struct dp_audio *dp_audio_get(struct platform_device *pdev, + int dp_register_audio_driver(struct device *dev, + struct dp_audio *dp_audio); + ++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio); ++ + /** + * dp_audio_put() + * +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index 1c3dcbc6cce8c..0bcccf422192c 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -276,6 +276,7 @@ static void dp_display_unbind(struct device *dev, struct device *master, + kthread_stop(dp->ev_tsk); + + dp_power_client_deinit(dp->power); ++ dp_unregister_audio_driver(dev, dp->audio); + dp_aux_unregister(dp->aux); + priv->dp = NULL; + } +-- +2.39.2 + diff --git a/queue-5.10/drm-msm-dpu-remove-duplicate-register-defines-from-i.patch b/queue-5.10/drm-msm-dpu-remove-duplicate-register-defines-from-i.patch new file mode 100644 index 00000000000..da355143efe --- /dev/null +++ b/queue-5.10/drm-msm-dpu-remove-duplicate-register-defines-from-i.patch @@ -0,0 +1,45 @@ +From 6a1841392b1f7c66bc2d6b32a73d0fe95e441bd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 00:37:22 +0200 +Subject: drm/msm/dpu: Remove duplicate register defines from INTF + +From: Marijn Suijten + +[ Upstream commit 202c044203ac5860e3025169105368d99f9bc6a2 ] + +The INTF_FRAME_LINE_COUNT_EN, INTF_FRAME_COUNT and INTF_LINE_COUNT +registers are already defined higher up, in the right place when sorted +numerically. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Marijn Suijten +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/534231/ +Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-8-27ce1a5ab5c6@somainline.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c +index 108882bbd2b8b..7aa6accb74ad3 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c +@@ -51,11 +51,6 @@ + #define INTF_TPG_RGB_MAPPING 0x11C + #define INTF_PROG_FETCH_START 0x170 + #define INTF_PROG_ROT_START 0x174 +- +-#define INTF_FRAME_LINE_COUNT_EN 0x0A8 +-#define INTF_FRAME_COUNT 0x0AC +-#define INTF_LINE_COUNT 0x0B0 +- + #define INTF_MUX 0x25C + + static const struct dpu_intf_cfg *_intf_offset(enum dpu_intf intf, +-- +2.39.2 + diff --git a/queue-5.10/erspan-get-the-proto-with-the-md-version-for-collect.patch b/queue-5.10/erspan-get-the-proto-with-the-md-version-for-collect.patch new file mode 100644 index 00000000000..3e9bfecd5e6 --- /dev/null +++ b/queue-5.10/erspan-get-the-proto-with-the-md-version-for-collect.patch @@ -0,0 +1,81 @@ +From 4cc64d109a2e2c3b70510213330106b03ded5dec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 19:22:11 -0400 +Subject: erspan: get the proto with the md version for collect_md + +From: Xin Long + +[ Upstream commit d80fc101d2eb9b3188c228d61223890aeea480a4 ] + +In commit 20704bd1633d ("erspan: build the header with the right proto +according to erspan_ver"), it gets the proto with t->parms.erspan_ver, +but t->parms.erspan_ver is not used by collect_md branch, and instead +it should get the proto with md->version for collect_md. + +Thanks to Kevin for pointing this out. + +Fixes: 20704bd1633d ("erspan: build the header with the right proto according to erspan_ver") +Fixes: 94d7d8f29287 ("ip6_gre: add erspan v2 support") +Reported-by: Kevin Traynor +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Reviewed-by: William Tu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 2332b5b81c551..7b50e1811678e 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1015,12 +1015,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + ntohl(tun_id), + ntohl(md->u.index), truncate, + false); ++ proto = htons(ETH_P_ERSPAN); + } else if (md->version == 2) { + erspan_build_header_v2(skb, + ntohl(tun_id), + md->u.md2.dir, + get_hwid(&md->u.md2), + truncate, false); ++ proto = htons(ETH_P_ERSPAN2); + } else { + goto tx_err; + } +@@ -1043,24 +1045,25 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + break; + } + +- if (t->parms.erspan_ver == 1) ++ if (t->parms.erspan_ver == 1) { + erspan_build_header(skb, ntohl(t->parms.o_key), + t->parms.index, + truncate, false); +- else if (t->parms.erspan_ver == 2) ++ proto = htons(ETH_P_ERSPAN); ++ } else if (t->parms.erspan_ver == 2) { + erspan_build_header_v2(skb, ntohl(t->parms.o_key), + t->parms.dir, + t->parms.hwid, + truncate, false); +- else ++ proto = htons(ETH_P_ERSPAN2); ++ } else { + goto tx_err; ++ } + + fl6.daddr = t->parms.raddr; + } + + /* Push GRE header. */ +- proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN) +- : htons(ETH_P_ERSPAN2); + gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(atomic_fetch_inc(&t->o_seqno))); + + /* TooBig packet may have updated dst->dev's mtu */ +-- +2.39.2 + diff --git a/queue-5.10/igb-fix-bit_shift-to-be-in-1.8-range.patch b/queue-5.10/igb-fix-bit_shift-to-be-in-1.8-range.patch new file mode 100644 index 00000000000..fba740bfc5d --- /dev/null +++ b/queue-5.10/igb-fix-bit_shift-to-be-in-1.8-range.patch @@ -0,0 +1,50 @@ +From 6222f352ef552dd54efa57e4d62dcf6f812cd931 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 10:41:46 -0700 +Subject: igb: fix bit_shift to be in [1..8] range + +From: Aleksandr Loktionov + +[ Upstream commit 60d758659f1fb49e0d5b6ac2691ede8c0958795b ] + +In igb_hash_mc_addr() the expression: + "mc_addr[4] >> 8 - bit_shift", right shifting "mc_addr[4]" +shift by more than 7 bits always yields zero, so hash becomes not so different. +Add initialization with bit_shift = 1 and add a loop condition to ensure +bit_shift will be always in [1..8] range. + +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Signed-off-by: Aleksandr Loktionov +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/e1000_mac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_mac.c b/drivers/net/ethernet/intel/igb/e1000_mac.c +index fd8eb2f9ab9dc..57e813405b311 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_mac.c ++++ b/drivers/net/ethernet/intel/igb/e1000_mac.c +@@ -426,7 +426,7 @@ void igb_mta_set(struct e1000_hw *hw, u32 hash_value) + static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + { + u32 hash_value, hash_mask; +- u8 bit_shift = 0; ++ u8 bit_shift = 1; + + /* Register count multiplied by bits per register */ + hash_mask = (hw->mac.mta_reg_count * 32) - 1; +@@ -434,7 +434,7 @@ static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + /* For a mc_filter_type of 0, bit_shift is the number of left-shifts + * where 0xFF would still fall within the hash mask. + */ +- while (hash_mask >> bit_shift != 0xFF) ++ while (hash_mask >> bit_shift != 0xFF && bit_shift < 4) + bit_shift++; + + /* The portion of the address that is used for the hash table +-- +2.39.2 + diff --git a/queue-5.10/ipv4-tcp-do-not-use-per-netns-ctl-sockets.patch b/queue-5.10/ipv4-tcp-do-not-use-per-netns-ctl-sockets.patch new file mode 100644 index 00000000000..a63dc738a9f --- /dev/null +++ b/queue-5.10/ipv4-tcp-do-not-use-per-netns-ctl-sockets.patch @@ -0,0 +1,178 @@ +From ee2eacb1038e77e21d9d4bf49423a8f3ab16c830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jan 2022 12:24:57 -0800 +Subject: ipv4/tcp: do not use per netns ctl sockets + +From: Eric Dumazet + +[ Upstream commit 37ba017dcc3b1123206808979834655ddcf93251 ] + +TCP ipv4 uses per-cpu/per-netns ctl sockets in order to send +RST and some ACK packets (on behalf of TIMEWAIT sockets). + +This adds memory and cpu costs, which do not seem needed. +Now typical servers have 256 or more cores, this adds considerable +tax to netns users. + +tcp sockets are used from BH context, are not receiving packets, +and do not store any persistent state but the 'struct net' pointer +in order to be able to use IPv4 output functions. + +Note that I attempted a related change in the past, that had +to be hot-fixed in commit bdbbb8527b6f ("ipv4: tcp: get rid of ugly unicast_sock") + +This patch could very well surface old bugs, on layers not +taking care of sk->sk_kern_sock properly. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: 1e306ec49a1f ("tcp: fix possible sk_priority leak in tcp_v4_send_reset()") +Signed-off-by: Sasha Levin +--- + include/net/netns/ipv4.h | 1 - + net/ipv4/tcp_ipv4.c | 61 ++++++++++++++++++---------------------- + 2 files changed, 27 insertions(+), 35 deletions(-) + +diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h +index d8b320cf54ba0..4a4a5270ff6f2 100644 +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -71,7 +71,6 @@ struct netns_ipv4 { + struct sock *mc_autojoin_sk; + + struct inet_peer_base *peers; +- struct sock * __percpu *tcp_sk; + struct fqdir *fqdir; + #ifdef CONFIG_NETFILTER + struct xt_table *iptable_filter; +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 8bd7b1ec3b6a3..275ae42be99e0 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -91,6 +91,8 @@ static int tcp_v4_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key, + struct inet_hashinfo tcp_hashinfo; + EXPORT_SYMBOL(tcp_hashinfo); + ++static DEFINE_PER_CPU(struct sock *, ipv4_tcp_sk); ++ + static u32 tcp_v4_init_seq(const struct sk_buff *skb) + { + return secure_tcp_seq(ip_hdr(skb)->daddr, +@@ -794,7 +796,8 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + arg.tos = ip_hdr(skb)->tos; + arg.uid = sock_net_uid(net, sk && sk_fullsock(sk) ? sk : NULL); + local_bh_disable(); +- ctl_sk = this_cpu_read(*net->ipv4.tcp_sk); ++ ctl_sk = this_cpu_read(ipv4_tcp_sk); ++ sock_net_set(ctl_sk, net); + if (sk) { + ctl_sk->sk_mark = (sk->sk_state == TCP_TIME_WAIT) ? + inet_twsk(sk)->tw_mark : sk->sk_mark; +@@ -809,6 +812,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + transmit_time); + + ctl_sk->sk_mark = 0; ++ sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); + __TCP_INC_STATS(net, TCP_MIB_OUTRSTS); + local_bh_enable(); +@@ -892,7 +896,8 @@ static void tcp_v4_send_ack(const struct sock *sk, + arg.tos = tos; + arg.uid = sock_net_uid(net, sk_fullsock(sk) ? sk : NULL); + local_bh_disable(); +- ctl_sk = this_cpu_read(*net->ipv4.tcp_sk); ++ ctl_sk = this_cpu_read(ipv4_tcp_sk); ++ sock_net_set(ctl_sk, net); + ctl_sk->sk_mark = (sk->sk_state == TCP_TIME_WAIT) ? + inet_twsk(sk)->tw_mark : sk->sk_mark; + ctl_sk->sk_priority = (sk->sk_state == TCP_TIME_WAIT) ? +@@ -905,6 +910,7 @@ static void tcp_v4_send_ack(const struct sock *sk, + transmit_time); + + ctl_sk->sk_mark = 0; ++ sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); + local_bh_enable(); + } +@@ -2828,41 +2834,14 @@ EXPORT_SYMBOL(tcp_prot); + + static void __net_exit tcp_sk_exit(struct net *net) + { +- int cpu; +- + if (net->ipv4.tcp_congestion_control) + bpf_module_put(net->ipv4.tcp_congestion_control, + net->ipv4.tcp_congestion_control->owner); +- +- for_each_possible_cpu(cpu) +- inet_ctl_sock_destroy(*per_cpu_ptr(net->ipv4.tcp_sk, cpu)); +- free_percpu(net->ipv4.tcp_sk); + } + + static int __net_init tcp_sk_init(struct net *net) + { +- int res, cpu, cnt; +- +- net->ipv4.tcp_sk = alloc_percpu(struct sock *); +- if (!net->ipv4.tcp_sk) +- return -ENOMEM; +- +- for_each_possible_cpu(cpu) { +- struct sock *sk; +- +- res = inet_ctl_sock_create(&sk, PF_INET, SOCK_RAW, +- IPPROTO_TCP, net); +- if (res) +- goto fail; +- sock_set_flag(sk, SOCK_USE_WRITE_QUEUE); +- +- /* Please enforce IP_DF and IPID==0 for RST and +- * ACK sent in SYN-RECV and TIME-WAIT state. +- */ +- inet_sk(sk)->pmtudisc = IP_PMTUDISC_DO; +- +- *per_cpu_ptr(net->ipv4.tcp_sk, cpu) = sk; +- } ++ int cnt; + + net->ipv4.sysctl_tcp_ecn = 2; + net->ipv4.sysctl_tcp_ecn_fallback = 1; +@@ -2947,10 +2926,6 @@ static int __net_init tcp_sk_init(struct net *net) + net->ipv4.tcp_congestion_control = &tcp_reno; + + return 0; +-fail: +- tcp_sk_exit(net); +- +- return res; + } + + static void __net_exit tcp_sk_exit_batch(struct list_head *net_exit_list) +@@ -3027,6 +3002,24 @@ static void __init bpf_iter_register(void) + + void __init tcp_v4_init(void) + { ++ int cpu, res; ++ ++ for_each_possible_cpu(cpu) { ++ struct sock *sk; ++ ++ res = inet_ctl_sock_create(&sk, PF_INET, SOCK_RAW, ++ IPPROTO_TCP, &init_net); ++ if (res) ++ panic("Failed to create the TCP control socket.\n"); ++ sock_set_flag(sk, SOCK_USE_WRITE_QUEUE); ++ ++ /* Please enforce IP_DF and IPID==0 for RST and ++ * ACK sent in SYN-RECV and TIME-WAIT state. ++ */ ++ inet_sk(sk)->pmtudisc = IP_PMTUDISC_DO; ++ ++ per_cpu(ipv4_tcp_sk, cpu) = sk; ++ } + if (register_pernet_subsys(&tcp_sk_ops)) + panic("Failed to create the TCP control socket.\n"); + +-- +2.39.2 + diff --git a/queue-5.10/media-netup_unidvb-fix-use-after-free-at-del_timer.patch b/queue-5.10/media-netup_unidvb-fix-use-after-free-at-del_timer.patch new file mode 100644 index 00000000000..6798f055a7b --- /dev/null +++ b/queue-5.10/media-netup_unidvb-fix-use-after-free-at-del_timer.patch @@ -0,0 +1,49 @@ +From bf5d888640a8f86a14a6e1444db4272a8ec9fd6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 12:55:14 +0000 +Subject: media: netup_unidvb: fix use-after-free at del_timer() + +From: Duoming Zhou + +[ Upstream commit 0f5bb36bf9b39a2a96e730bf4455095b50713f63 ] + +When Universal DVB card is detaching, netup_unidvb_dma_fini() +uses del_timer() to stop dma->timeout timer. But when timer +handler netup_unidvb_dma_timeout() is running, del_timer() +could not stop it. As a result, the use-after-free bug could +happen. The process is shown below: + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +netup_unidvb_finidev() | (wait a time) + netup_unidvb_dma_fini() | netup_unidvb_dma_timeout() + del_timer(&dma->timeout); | + | ndev->pci_dev->dev //USE + +Fix by changing del_timer() to del_timer_sync(). + +Link: https://lore.kernel.org/linux-media/20230308125514.4208-1-duoming@zju.edu.cn +Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/netup_unidvb/netup_unidvb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +index 77bae14685513..a71814e2772d1 100644 +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +@@ -697,7 +697,7 @@ static void netup_unidvb_dma_fini(struct netup_unidvb_dev *ndev, int num) + netup_unidvb_dma_enable(dma, 0); + msleep(50); + cancel_work_sync(&dma->work); +- del_timer(&dma->timeout); ++ del_timer_sync(&dma->timeout); + } + + static int netup_unidvb_dma_setup(struct netup_unidvb_dev *ndev) +-- +2.39.2 + diff --git a/queue-5.10/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch b/queue-5.10/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch new file mode 100644 index 00000000000..60269c563b7 --- /dev/null +++ b/queue-5.10/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch @@ -0,0 +1,37 @@ +From 47a7486fdbff57aecfe1371f8c06a48638b35d65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:07:27 -0700 +Subject: net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop() + +From: Florian Fainelli + +[ Upstream commit 93e0401e0fc0c54b0ac05b687cd135c2ac38187c ] + +The call to phy_stop() races with the later call to phy_disconnect(), +resulting in concurrent phy_suspend() calls being run from different +CPUs. The final call to phy_disconnect() ensures that the PHY is +stopped and suspended, too. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 7667cbb5adfd6..20b161620fee9 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3412,7 +3412,6 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + +- phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +-- +2.39.2 + diff --git a/queue-5.10/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch b/queue-5.10/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch new file mode 100644 index 00000000000..e27e48e91a2 --- /dev/null +++ b/queue-5.10/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch @@ -0,0 +1,71 @@ +From e598839dbd7892e2f3b2b9728bfa208f2e0f8fa7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 19:56:07 -0700 +Subject: net: bcmgenet: Restore phy_stop() depending upon suspend/close + +From: Florian Fainelli + +[ Upstream commit 225c657945c4a6307741cb3cc89467eadcc26e9b ] + +Removing the phy_stop() from bcmgenet_netif_stop() ended up causing +warnings from the PHY library that phy_start() is called from the +RUNNING state since we are no longer stopping the PHY state machine +during bcmgenet_suspend(). + +Restore the call to phy_stop() but make it conditional on being called +from the close or suspend path. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Fixes: 93e0401e0fc0 ("net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()") +Signed-off-by: Florian Fainelli +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20230515025608.2587012-1-f.fainelli@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 20b161620fee9..145488449f133 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3397,7 +3397,7 @@ static int bcmgenet_open(struct net_device *dev) + return ret; + } + +-static void bcmgenet_netif_stop(struct net_device *dev) ++static void bcmgenet_netif_stop(struct net_device *dev, bool stop_phy) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + +@@ -3412,6 +3412,8 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + ++ if (stop_phy) ++ phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +@@ -3437,7 +3439,7 @@ static int bcmgenet_close(struct net_device *dev) + + netif_dbg(priv, ifdown, dev, "bcmgenet_close\n"); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, false); + + /* Really kill the PHY state machine and disconnect from it */ + phy_disconnect(dev->phydev); +@@ -4239,7 +4241,7 @@ static int bcmgenet_suspend(struct device *d) + + netif_device_detach(dev); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, true); + + if (!device_may_wakeup(d)) + phy_suspend(dev->phydev); +-- +2.39.2 + diff --git a/queue-5.10/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch b/queue-5.10/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch new file mode 100644 index 00000000000..d416fe52d59 --- /dev/null +++ b/queue-5.10/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch @@ -0,0 +1,67 @@ +From acf1d297d3067c2b9e1bac5242560a7e85c6d00b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 22:00:20 +0200 +Subject: net: fec: Better handle pm_runtime_get() failing in .remove() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit f816b9829b19394d318e01953aa3b2721bca040d ] + +In the (unlikely) event that pm_runtime_get() (disguised as +pm_runtime_resume_and_get()) fails, the remove callback returned an +error early. The problem with this is that the driver core ignores the +error value and continues removing the device. This results in a +resource leak. Worse the devm allocated resources are freed and so if a +callback of the driver is called later the register mapping is already +gone which probably results in a crash. + +Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match") +Signed-off-by: Uwe Kleine-König +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230510200020.1534610-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 686bb873125cc..e18b3b72fc0df 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3850,9 +3850,11 @@ fec_drv_remove(struct platform_device *pdev) + struct device_node *np = pdev->dev.of_node; + int ret; + +- ret = pm_runtime_resume_and_get(&pdev->dev); ++ ret = pm_runtime_get_sync(&pdev->dev); + if (ret < 0) +- return ret; ++ dev_err(&pdev->dev, ++ "Failed to resume device in remove callback (%pe)\n", ++ ERR_PTR(ret)); + + cancel_work_sync(&fep->tx_timeout_work); + fec_ptp_stop(pdev); +@@ -3865,8 +3867,13 @@ fec_drv_remove(struct platform_device *pdev) + of_phy_deregister_fixed_link(np); + of_node_put(fep->phy_node); + +- clk_disable_unprepare(fep->clk_ahb); +- clk_disable_unprepare(fep->clk_ipg); ++ /* After pm_runtime_get_sync() failed, the clks are still off, so skip ++ * disabling them again. ++ */ ++ if (ret >= 0) { ++ clk_disable_unprepare(fep->clk_ahb); ++ clk_disable_unprepare(fep->clk_ipg); ++ } + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + +-- +2.39.2 + diff --git a/queue-5.10/net-find-dst-with-sk-s-xfrm-policy-not-ctl_sk.patch b/queue-5.10/net-find-dst-with-sk-s-xfrm-policy-not-ctl_sk.patch new file mode 100644 index 00000000000..e557a22f3f6 --- /dev/null +++ b/queue-5.10/net-find-dst-with-sk-s-xfrm-policy-not-ctl_sk.patch @@ -0,0 +1,119 @@ +From a83c1315020aaaaf510b789e287d95e837fd4ca6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jul 2022 10:01:39 +0000 +Subject: net: Find dst with sk's xfrm policy not ctl_sk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: sewookseo + +[ Upstream commit e22aa14866684f77b4f6b6cae98539e520ddb731 ] + +If we set XFRM security policy by calling setsockopt with option +IPV6_XFRM_POLICY, the policy will be stored in 'sock_policy' in 'sock' +struct. However tcp_v6_send_response doesn't look up dst_entry with the +actual socket but looks up with tcp control socket. This may cause a +problem that a RST packet is sent without ESP encryption & peer's TCP +socket can't receive it. +This patch will make the function look up dest_entry with actual socket, +if the socket has XFRM policy(sock_policy), so that the TCP response +packet via this function can be encrypted, & aligned on the encrypted +TCP socket. + +Tested: We encountered this problem when a TCP socket which is encrypted +in ESP transport mode encryption, receives challenge ACK at SYN_SENT +state. After receiving challenge ACK, TCP needs to send RST to +establish the socket at next SYN try. But the RST was not encrypted & +peer TCP socket still remains on ESTABLISHED state. +So we verified this with test step as below. +[Test step] +1. Making a TCP state mismatch between client(IDLE) & server(ESTABLISHED). +2. Client tries a new connection on the same TCP ports(src & dst). +3. Server will return challenge ACK instead of SYN,ACK. +4. Client will send RST to server to clear the SOCKET. +5. Client will retransmit SYN to server on the same TCP ports. +[Expected result] +The TCP connection should be established. + +Cc: Maciej Żenczykowski +Cc: Eric Dumazet +Cc: Steffen Klassert +Cc: Sehee Lee +Signed-off-by: Sewook Seo +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: 1e306ec49a1f ("tcp: fix possible sk_priority leak in tcp_v4_send_reset()") +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 2 ++ + net/ipv4/ip_output.c | 2 +- + net/ipv4/tcp_ipv4.c | 2 ++ + net/ipv6/tcp_ipv6.c | 5 ++++- + 4 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 8a9943d935f14..726a2dbb407f1 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1198,6 +1198,8 @@ int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk); + + static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) + { ++ if (!sk_fullsock(osk)) ++ return 0; + sk->sk_policy[0] = NULL; + sk->sk_policy[1] = NULL; + if (unlikely(osk->sk_policy[0] || osk->sk_policy[1])) +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 1e07df2821773..6fd04f2f8b40c 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1723,7 +1723,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + tcp_hdr(skb)->source, tcp_hdr(skb)->dest, + arg->uid); + security_skb_classify_flow(skb, flowi4_to_flowi_common(&fl4)); +- rt = ip_route_output_key(net, &fl4); ++ rt = ip_route_output_flow(net, &fl4, sk); + if (IS_ERR(rt)) + return; + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 275ae42be99e0..1995d46afb214 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -804,6 +804,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + ctl_sk->sk_priority = (sk->sk_state == TCP_TIME_WAIT) ? + inet_twsk(sk)->tw_priority : sk->sk_priority; + transmit_time = tcp_transmit_time(sk); ++ xfrm_sk_clone_policy(ctl_sk, sk); + } + ip_send_unicast_reply(ctl_sk, + skb, &TCP_SKB_CB(skb)->header.h4.opt, +@@ -812,6 +813,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + transmit_time); + + ctl_sk->sk_mark = 0; ++ xfrm_sk_free_policy(ctl_sk); + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); + __TCP_INC_STATS(net, TCP_MIB_OUTRSTS); +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 2347740d3cc7c..fe29bc66aeac7 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -984,7 +984,10 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 + * Underlying function will use this to retrieve the network + * namespace + */ +- dst = ip6_dst_lookup_flow(sock_net(ctl_sk), ctl_sk, &fl6, NULL); ++ if (sk && sk->sk_state != TCP_TIME_WAIT) ++ dst = ip6_dst_lookup_flow(net, sk, &fl6, NULL); /*sk's xfrm_policy can be referred*/ ++ else ++ dst = ip6_dst_lookup_flow(net, ctl_sk, &fl6, NULL); + if (!IS_ERR(dst)) { + skb_dst_set(buff, dst); + ip6_xmit(ctl_sk, buff, &fl6, fl6.flowi6_mark, NULL, +-- +2.39.2 + diff --git a/queue-5.10/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch b/queue-5.10/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch new file mode 100644 index 00000000000..02bda76c62c --- /dev/null +++ b/queue-5.10/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch @@ -0,0 +1,44 @@ +From d26b72bcec731e9f807bbe61c4cbcc19c478125e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:00:13 +0800 +Subject: net: hns3: fix reset delay time to avoid configuration timeout + +From: Jie Wang + +[ Upstream commit 814d0c786068e858d889ada3153bff82f64223ad ] + +Currently the hns3 vf function reset delays 5000ms before vf rebuild +process. In product applications, this delay is too long for application +configurations and causes configuration timeout. + +According to the tests, 500ms delay is enough for reset process except PF +FLR. So this patch modifies delay to 500ms in these scenarios. + +Fixes: 6988eb2a9b77 ("net: hns3: Add support to reset the enet/ring mgmt layer") +Signed-off-by: Jie Wang +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index f7f3e4bbc4770..7d05915c35e38 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -1772,7 +1772,10 @@ static int hclgevf_reset_wait(struct hclgevf_dev *hdev) + * might happen in case reset assertion was made by PF. Yes, this also + * means we might end up waiting bit more even for VF reset. + */ +- msleep(5000); ++ if (hdev->reset_type == HNAE3_VF_FULL_RESET) ++ msleep(5000); ++ else ++ msleep(500); + + return 0; + } +-- +2.39.2 + diff --git a/queue-5.10/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch b/queue-5.10/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch new file mode 100644 index 00000000000..2d9150992df --- /dev/null +++ b/queue-5.10/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch @@ -0,0 +1,91 @@ +From 1c18a66e1459492f22e9eae04a9a8cd590c37150 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:00:12 +0800 +Subject: net: hns3: fix sending pfc frames after reset issue + +From: Jijie Shao + +[ Upstream commit f14db07064727dd3bc0906c77a6d2759c1bbb395 ] + +To prevent the system from abnormally sending PFC frames after an +abnormal reset. The hns3 driver notifies the firmware to disable pfc +before reset. + +Fixes: 35d93a30040c ("net: hns3: adjust the process of PF reset") +Signed-off-by: Jijie Shao +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 15 +++++++++------ + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 4 ++-- + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 5 +++++ + 3 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 2070e26a3a358..1ec1709446bab 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -7023,12 +7023,15 @@ static void hclge_ae_stop(struct hnae3_handle *handle) + /* If it is not PF reset or FLR, the firmware will disable the MAC, + * so it only need to stop phy here. + */ +- if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) && +- hdev->reset_type != HNAE3_FUNC_RESET && +- hdev->reset_type != HNAE3_FLR_RESET) { +- hclge_mac_stop_phy(hdev); +- hclge_update_link_status(hdev); +- return; ++ if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state)) { ++ hclge_pfc_pause_en_cfg(hdev, HCLGE_PFC_TX_RX_DISABLE, ++ HCLGE_PFC_DISABLE); ++ if (hdev->reset_type != HNAE3_FUNC_RESET && ++ hdev->reset_type != HNAE3_FLR_RESET) { ++ hclge_mac_stop_phy(hdev); ++ hclge_update_link_status(hdev); ++ return; ++ } + } + + for (i = 0; i < handle->kinfo.num_tqps; i++) +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +index 9168e39b63641..b3ceaaaeacaeb 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +@@ -169,8 +169,8 @@ int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx) + return hclge_cmd_send(&hdev->hw, &desc, 1); + } + +-static int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, +- u8 pfc_bitmap) ++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, ++ u8 pfc_bitmap) + { + struct hclge_desc desc; + struct hclge_pfc_en_cmd *pfc = (struct hclge_pfc_en_cmd *)desc.data; +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +index bb2a2d8e92591..42932c879b360 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +@@ -117,6 +117,9 @@ struct hclge_bp_to_qs_map_cmd { + u32 rsvd1; + }; + ++#define HCLGE_PFC_DISABLE 0 ++#define HCLGE_PFC_TX_RX_DISABLE 0 ++ + struct hclge_pfc_en_cmd { + u8 tx_rx_en_bitmap; + u8 pri_en_bitmap; +@@ -164,6 +167,8 @@ void hclge_tm_schd_info_update(struct hclge_dev *hdev, u8 num_tc); + void hclge_tm_pfc_info_update(struct hclge_dev *hdev); + int hclge_tm_dwrr_cfg(struct hclge_dev *hdev); + int hclge_tm_init_hw(struct hclge_dev *hdev, bool init); ++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, ++ u8 pfc_bitmap); + int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx); + int hclge_pause_addr_cfg(struct hclge_dev *hdev, const u8 *mac_addr); + int hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats); +-- +2.39.2 + diff --git a/queue-5.10/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch b/queue-5.10/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch new file mode 100644 index 00000000000..9e468fd1cd9 --- /dev/null +++ b/queue-5.10/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch @@ -0,0 +1,101 @@ +From 08c0054d79ee4bc6baeed72deef2af429a12dd5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 20:54:40 +0800 +Subject: net: nsh: Use correct mac_offset to unwind gso skb in + nsh_gso_segment() + +From: Dong Chenchen + +[ Upstream commit c83b49383b595be50647f0c764a48c78b5f3c4f8 ] + +As the call trace shows, skb_panic was caused by wrong skb->mac_header +in nsh_gso_segment(): + +invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 +RIP: 0010:skb_panic+0xda/0xe0 +call Trace: + skb_push+0x91/0xa0 + nsh_gso_segment+0x4f3/0x570 + skb_mac_gso_segment+0x19e/0x270 + __skb_gso_segment+0x1e8/0x3c0 + validate_xmit_skb+0x452/0x890 + validate_xmit_skb_list+0x99/0xd0 + sch_direct_xmit+0x294/0x7c0 + __dev_queue_xmit+0x16f0/0x1d70 + packet_xmit+0x185/0x210 + packet_snd+0xc15/0x1170 + packet_sendmsg+0x7b/0xa0 + sock_sendmsg+0x14f/0x160 + +The root cause is: +nsh_gso_segment() use skb->network_header - nhoff to reset mac_header +in skb_gso_error_unwind() if inner-layer protocol gso fails. +However, skb->network_header may be reset by inner-layer protocol +gso function e.g. mpls_gso_segment. skb->mac_header reset by the +inaccurate network_header will be larger than skb headroom. + +nsh_gso_segment + nhoff = skb->network_header - skb->mac_header; + __skb_pull(skb,nsh_len) + skb_mac_gso_segment + mpls_gso_segment + skb_reset_network_header(skb);//skb->network_header+=nsh_len + return -EINVAL; + skb_gso_error_unwind + skb_push(skb, nsh_len); + skb->mac_header = skb->network_header - nhoff; + // skb->mac_header > skb->headroom, cause skb_push panic + +Use correct mac_offset to restore mac_header and get rid of nhoff. + +Fixes: c411ed854584 ("nsh: add GSO support") +Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com +Suggested-by: Eric Dumazet +Signed-off-by: Dong Chenchen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nsh/nsh.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c +index e9ca007718b7e..0f23e5e8e03eb 100644 +--- a/net/nsh/nsh.c ++++ b/net/nsh/nsh.c +@@ -77,13 +77,12 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + netdev_features_t features) + { + struct sk_buff *segs = ERR_PTR(-EINVAL); ++ u16 mac_offset = skb->mac_header; + unsigned int nsh_len, mac_len; + __be16 proto; +- int nhoff; + + skb_reset_network_header(skb); + +- nhoff = skb->network_header - skb->mac_header; + mac_len = skb->mac_len; + + if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN))) +@@ -108,15 +107,14 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + segs = skb_mac_gso_segment(skb, features); + if (IS_ERR_OR_NULL(segs)) { + skb_gso_error_unwind(skb, htons(ETH_P_NSH), nsh_len, +- skb->network_header - nhoff, +- mac_len); ++ mac_offset, mac_len); + goto out; + } + + for (skb = segs; skb; skb = skb->next) { + skb->protocol = htons(ETH_P_NSH); + __skb_push(skb, nsh_len); +- skb_set_mac_header(skb, -nhoff); ++ skb->mac_header = mac_offset; + skb->network_header = skb->mac_header + mac_len; + skb->mac_len = mac_len; + } +-- +2.39.2 + diff --git a/queue-5.10/net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch b/queue-5.10/net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch new file mode 100644 index 00000000000..75c0355e80d --- /dev/null +++ b/queue-5.10/net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch @@ -0,0 +1,77 @@ +From aef5a3d77b504781beab4fcc07a90f1fdbdd74f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 18:21:39 +0530 +Subject: net: phy: dp83867: add w/a for packet errors seen with short cables + +From: Grygorii Strashko + +[ Upstream commit 0b01db274028f5acd207332686ffc92ac77491ac ] + +Introduce the W/A for packet errors seen with short cables (<1m) between +two DP83867 PHYs. + +The W/A recommended by DM requires FFE Equalizer Configuration tuning by +writing value 0x0E81 to DSP_FFE_CFG register (0x012C), surrounded by hard +and soft resets as follows: + +write_reg(0x001F, 0x8000); //hard reset +write_reg(DSP_FFE_CFG, 0x0E81); +write_reg(0x001F, 0x4000); //soft reset + +Since DP83867 PHY DM says "Changing this register to 0x0E81, will not +affect Long Cable performance.", enable the W/A by default. + +Fixes: 2a10154abcb7 ("net: phy: dp83867: Add TI dp83867 phy") +Signed-off-by: Grygorii Strashko +Signed-off-by: Siddharth Vadapalli +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83867.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c +index c8031e297faf4..5fabcd15ef77a 100644 +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -41,6 +41,7 @@ + #define DP83867_STRAP_STS1 0x006E + #define DP83867_STRAP_STS2 0x006f + #define DP83867_RGMIIDCTL 0x0086 ++#define DP83867_DSP_FFE_CFG 0x012c + #define DP83867_RXFCFG 0x0134 + #define DP83867_RXFPMD1 0x0136 + #define DP83867_RXFPMD2 0x0137 +@@ -807,8 +808,27 @@ static int dp83867_phy_reset(struct phy_device *phydev) + + usleep_range(10, 20); + +- return phy_modify(phydev, MII_DP83867_PHYCTRL, ++ err = phy_modify(phydev, MII_DP83867_PHYCTRL, + DP83867_PHYCR_FORCE_LINK_GOOD, 0); ++ if (err < 0) ++ return err; ++ ++ /* Configure the DSP Feedforward Equalizer Configuration register to ++ * improve short cable (< 1 meter) performance. This will not affect ++ * long cable performance. ++ */ ++ err = phy_write_mmd(phydev, DP83867_DEVADDR, DP83867_DSP_FFE_CFG, ++ 0x0e81); ++ if (err < 0) ++ return err; ++ ++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART); ++ if (err < 0) ++ return err; ++ ++ usleep_range(10, 20); ++ ++ return 0; + } + + static void dp83867_link_change_notify(struct phy_device *phydev) +-- +2.39.2 + diff --git a/queue-5.10/net-tipc-fix-tipc-header-files-for-kernel-doc.patch b/queue-5.10/net-tipc-fix-tipc-header-files-for-kernel-doc.patch new file mode 100644 index 00000000000..262866d6257 --- /dev/null +++ b/queue-5.10/net-tipc-fix-tipc-header-files-for-kernel-doc.patch @@ -0,0 +1,200 @@ +From 71b9e4c354b08e886ddac065045dd0f0b3d55511 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Nov 2020 10:32:43 -0800 +Subject: net/tipc: fix tipc header files for kernel-doc + +From: Randy Dunlap + +[ Upstream commit ff10527e89826aaf76480ee47e6fd05213189963 ] + +Fix tipc header files for adding to the networking docbook. + +Remove some uses of "/**" that were not kernel-doc notation. + +Fix some source formatting to eliminate Sphinx warnings. + +Add missing struct member and function argument kernel-doc descriptions. + +Correct the description of a couple of struct members that were +marked as "(FIXME)". + +Documentation/networking/tipc:18: ../net/tipc/name_table.h:65: WARNING: Unexpected indentation. +Documentation/networking/tipc:18: ../net/tipc/name_table.h:66: WARNING: Block quote ends without a blank line; unexpected unindent. + +../net/tipc/bearer.h:128: warning: Function parameter or member 'min_win' not described in 'tipc_media' +../net/tipc/bearer.h:128: warning: Function parameter or member 'max_win' not described in 'tipc_media' + +../net/tipc/bearer.h:171: warning: Function parameter or member 'min_win' not described in 'tipc_bearer' +../net/tipc/bearer.h:171: warning: Function parameter or member 'max_win' not described in 'tipc_bearer' +../net/tipc/bearer.h:171: warning: Function parameter or member 'disc' not described in 'tipc_bearer' +../net/tipc/bearer.h:171: warning: Function parameter or member 'up' not described in 'tipc_bearer' +../net/tipc/bearer.h:171: warning: Function parameter or member 'refcnt' not described in 'tipc_bearer' + +../net/tipc/name_distr.h:68: warning: Function parameter or member 'port' not described in 'distr_item' + +../net/tipc/name_table.h:111: warning: Function parameter or member 'services' not described in 'name_table' +../net/tipc/name_table.h:111: warning: Function parameter or member 'cluster_scope_lock' not described in 'name_table' +../net/tipc/name_table.h:111: warning: Function parameter or member 'rc_dests' not described in 'name_table' +../net/tipc/name_table.h:111: warning: Function parameter or member 'snd_nxt' not described in 'name_table' + +../net/tipc/subscr.h:67: warning: Function parameter or member 'kref' not described in 'tipc_subscription' +../net/tipc/subscr.h:67: warning: Function parameter or member 'net' not described in 'tipc_subscription' +../net/tipc/subscr.h:67: warning: Function parameter or member 'service_list' not described in 'tipc_subscription' +../net/tipc/subscr.h:67: warning: Function parameter or member 'conid' not described in 'tipc_subscription' +../net/tipc/subscr.h:67: warning: Function parameter or member 'inactive' not described in 'tipc_subscription' +../net/tipc/subscr.h:67: warning: Function parameter or member 'lock' not described in 'tipc_subscription' + +Signed-off-by: Randy Dunlap +Signed-off-by: Jakub Kicinski +Stable-dep-of: 56077b56cd3f ("tipc: do not update mtu if msg_max is too small in mtu negotiation") +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.h | 10 +++++++--- + net/tipc/crypto.h | 6 +++--- + net/tipc/name_distr.h | 2 +- + net/tipc/name_table.h | 9 ++++++--- + net/tipc/subscr.h | 11 +++++++---- + 5 files changed, 24 insertions(+), 14 deletions(-) + +diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h +index bc0023119da2f..6bf4550aa1ac1 100644 +--- a/net/tipc/bearer.h ++++ b/net/tipc/bearer.h +@@ -93,7 +93,8 @@ struct tipc_bearer; + * @raw2addr: convert from raw addr format to media addr format + * @priority: default link (and bearer) priority + * @tolerance: default time (in ms) before declaring link failure +- * @window: default window (in packets) before declaring link congestion ++ * @min_win: minimum window (in packets) before declaring link congestion ++ * @max_win: maximum window (in packets) before declaring link congestion + * @mtu: max packet size bearer can support for media type not dependent on + * underlying device MTU + * @type_id: TIPC media identifier +@@ -138,12 +139,15 @@ struct tipc_media { + * @pt: packet type for bearer + * @rcu: rcu struct for tipc_bearer + * @priority: default link priority for bearer +- * @window: default window size for bearer ++ * @min_win: minimum window (in packets) before declaring link congestion ++ * @max_win: maximum window (in packets) before declaring link congestion + * @tolerance: default link tolerance for bearer + * @domain: network domain to which links can be established + * @identity: array index of this bearer within TIPC bearer array +- * @link_req: ptr to (optional) structure making periodic link setup requests ++ * @disc: ptr to link setup request + * @net_plane: network plane ('A' through 'H') currently associated with bearer ++ * @up: bearer up flag (bit 0) ++ * @refcnt: tipc_bearer reference counter + * + * Note: media-specific code is responsible for initialization of the fields + * indicated below when a bearer is enabled; TIPC's generic bearer code takes +diff --git a/net/tipc/crypto.h b/net/tipc/crypto.h +index e71193bd5e369..ce7d4cc8a9e0c 100644 +--- a/net/tipc/crypto.h ++++ b/net/tipc/crypto.h +@@ -1,5 +1,5 @@ + /* SPDX-License-Identifier: GPL-2.0 */ +-/** ++/* + * net/tipc/crypto.h: Include file for TIPC crypto + * + * Copyright (c) 2019, Ericsson AB +@@ -53,7 +53,7 @@ + #define TIPC_AES_GCM_IV_SIZE 12 + #define TIPC_AES_GCM_TAG_SIZE 16 + +-/** ++/* + * TIPC crypto modes: + * - CLUSTER_KEY: + * One single key is used for both TX & RX in all nodes in the cluster. +@@ -69,7 +69,7 @@ enum { + extern int sysctl_tipc_max_tfms __read_mostly; + extern int sysctl_tipc_key_exchange_enabled __read_mostly; + +-/** ++/* + * TIPC encryption message format: + * + * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 +diff --git a/net/tipc/name_distr.h b/net/tipc/name_distr.h +index 092323158f060..e231e6964d611 100644 +--- a/net/tipc/name_distr.h ++++ b/net/tipc/name_distr.h +@@ -46,7 +46,7 @@ + * @type: name sequence type + * @lower: name sequence lower bound + * @upper: name sequence upper bound +- * @ref: publishing port reference ++ * @port: publishing port reference + * @key: publication key + * + * ===> All fields are stored in network byte order. <=== +diff --git a/net/tipc/name_table.h b/net/tipc/name_table.h +index 8064e1986e2c8..5a82a01369d67 100644 +--- a/net/tipc/name_table.h ++++ b/net/tipc/name_table.h +@@ -60,8 +60,8 @@ struct tipc_group; + * @key: publication key, unique across the cluster + * @id: publication id + * @binding_node: all publications from the same node which bound this one +- * - Remote publications: in node->publ_list +- * Used by node/name distr to withdraw publications when node is lost ++ * - Remote publications: in node->publ_list; ++ * Used by node/name distr to withdraw publications when node is lost + * - Local/node scope publications: in name_table->node_scope list + * - Local/cluster scope publications: in name_table->cluster_scope list + * @binding_sock: all publications from the same socket which bound this one +@@ -92,13 +92,16 @@ struct publication { + + /** + * struct name_table - table containing all existing port name publications +- * @seq_hlist: name sequence hash lists ++ * @services: name sequence hash lists + * @node_scope: all local publications with node scope + * - used by name_distr during re-init of name table + * @cluster_scope: all local publications with cluster scope + * - used by name_distr to send bulk updates to new nodes + * - used by name_distr during re-init of name table ++ * @cluster_scope_lock: lock for accessing @cluster_scope + * @local_publ_count: number of publications issued by this node ++ * @rc_dests: destination node counter ++ * @snd_nxt: next sequence number to be used + */ + struct name_table { + struct hlist_head services[TIPC_NAMETBL_SIZE]; +diff --git a/net/tipc/subscr.h b/net/tipc/subscr.h +index 6ebbec1bedd1a..63bdce9358fe6 100644 +--- a/net/tipc/subscr.h ++++ b/net/tipc/subscr.h +@@ -47,12 +47,15 @@ struct tipc_conn; + + /** + * struct tipc_subscription - TIPC network topology subscription object +- * @subscriber: pointer to its subscriber +- * @seq: name sequence associated with subscription ++ * @kref: reference count for this subscription ++ * @net: network namespace associated with subscription + * @timer: timer governing subscription duration (optional) +- * @nameseq_list: adjacent subscriptions in name sequence's subscription list ++ * @service_list: adjacent subscriptions in name sequence's subscription list + * @sub_list: adjacent subscriptions in subscriber's subscription list + * @evt: template for events generated by subscription ++ * @conid: connection identifier of topology server ++ * @inactive: true if this subscription is inactive ++ * @lock: serialize up/down and timer events + */ + struct tipc_subscription { + struct kref kref; +@@ -63,7 +66,7 @@ struct tipc_subscription { + struct tipc_event evt; + int conid; + bool inactive; +- spinlock_t lock; /* serialize up/down and timer events */ ++ spinlock_t lock; + }; + + struct tipc_subscription *tipc_sub_subscribe(struct net *net, +-- +2.39.2 + diff --git a/queue-5.10/netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch b/queue-5.10/netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch new file mode 100644 index 00000000000..b9c927050a2 --- /dev/null +++ b/queue-5.10/netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch @@ -0,0 +1,88 @@ +From 47f3b1e644ed1811f6a2a25053a3de25d03c75ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 22:39:30 +0200 +Subject: netfilter: nft_set_rbtree: fix null deref on element insertion + +From: Florian Westphal + +[ Upstream commit 61ae320a29b0540c16931816299eb86bf2b66c08 ] + +There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem(): + +general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + nft_add_set_elem+0x14b0/0x2990 + nf_tables_newsetelem+0x528/0xb30 + +Furthermore, there is a possible use-after-free while iterating, +'node' can be free'd so we need to cache the next value to use. + +Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_rbtree.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 4b9a499fe8f4d..1ffb24f4c74ca 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -220,7 +220,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + { + struct nft_set *set = (struct nft_set *)__set; + struct rb_node *prev = rb_prev(&rbe->node); +- struct nft_rbtree_elem *rbe_prev; ++ struct nft_rbtree_elem *rbe_prev = NULL; + struct nft_set_gc_batch *gcb; + + gcb = nft_set_gc_batch_check(set, NULL, GFP_ATOMIC); +@@ -228,17 +228,21 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + return -ENOMEM; + + /* search for expired end interval coming before this element. */ +- do { ++ while (prev) { + rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node); + if (nft_rbtree_interval_end(rbe_prev)) + break; + + prev = rb_prev(prev); +- } while (prev != NULL); ++ } ++ ++ if (rbe_prev) { ++ rb_erase(&rbe_prev->node, &priv->root); ++ atomic_dec(&set->nelems); ++ } + +- rb_erase(&rbe_prev->node, &priv->root); + rb_erase(&rbe->node, &priv->root); +- atomic_sub(2, &set->nelems); ++ atomic_dec(&set->nelems); + + nft_set_gc_batch_add(gcb, rbe); + nft_set_gc_batch_complete(gcb); +@@ -267,7 +271,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + struct nft_set_ext **ext) + { + struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL; +- struct rb_node *node, *parent, **p, *first = NULL; ++ struct rb_node *node, *next, *parent, **p, *first = NULL; + struct nft_rbtree *priv = nft_set_priv(set); + u8 genmask = nft_genmask_next(net); + int d, err; +@@ -306,7 +310,9 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + * Values stored in the tree are in reversed order, starting from + * highest to lowest value. + */ +- for (node = first; node != NULL; node = rb_next(node)) { ++ for (node = first; node != NULL; node = next) { ++ next = rb_next(node); ++ + rbe = rb_entry(node, struct nft_rbtree_elem, node); + + if (!nft_set_elem_active(&rbe->ext, genmask)) +-- +2.39.2 + diff --git a/queue-5.10/revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch b/queue-5.10/revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch new file mode 100644 index 00000000000..98e6997623f --- /dev/null +++ b/queue-5.10/revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch @@ -0,0 +1,125 @@ +From f520c73bc047a1031fb20105231ce413f3f635a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 09:46:18 +0200 +Subject: Revert "Fix XFRM-I support for nested ESP tunnels" + +From: Martin Willi + +[ Upstream commit 5fc46f94219d1d103ffb5f0832be9da674d85a73 ] + +This reverts commit b0355dbbf13c0052931dd14c38c789efed64d3de. + +The reverted commit clears the secpath on packets received via xfrm interfaces +to support nested IPsec tunnels. This breaks Netfilter policy matching using +xt_policy in the FORWARD chain, as the secpath is missing during forwarding. +Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode. + +Fix this regression by reverting the commit until we have a better approach +for nested IPsec tunnels. + +Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels") +Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/ +Signed-off-by: Martin Willi +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_interface.c | 54 +++------------------------------------ + net/xfrm/xfrm_policy.c | 3 --- + 2 files changed, 4 insertions(+), 53 deletions(-) + +diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c +index e4f21a6924153..da518b4ca84c6 100644 +--- a/net/xfrm/xfrm_interface.c ++++ b/net/xfrm/xfrm_interface.c +@@ -207,52 +207,6 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet) + skb->mark = 0; + } + +-static int xfrmi_input(struct sk_buff *skb, int nexthdr, __be32 spi, +- int encap_type, unsigned short family) +-{ +- struct sec_path *sp; +- +- sp = skb_sec_path(skb); +- if (sp && (sp->len || sp->olen) && +- !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family)) +- goto discard; +- +- XFRM_SPI_SKB_CB(skb)->family = family; +- if (family == AF_INET) { +- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); +- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; +- } else { +- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); +- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL; +- } +- +- return xfrm_input(skb, nexthdr, spi, encap_type); +-discard: +- kfree_skb(skb); +- return 0; +-} +- +-static int xfrmi4_rcv(struct sk_buff *skb) +-{ +- return xfrmi_input(skb, ip_hdr(skb)->protocol, 0, 0, AF_INET); +-} +- +-static int xfrmi6_rcv(struct sk_buff *skb) +-{ +- return xfrmi_input(skb, skb_network_header(skb)[IP6CB(skb)->nhoff], +- 0, 0, AF_INET6); +-} +- +-static int xfrmi4_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) +-{ +- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET); +-} +- +-static int xfrmi6_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) +-{ +- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET6); +-} +- + static int xfrmi_rcv_cb(struct sk_buff *skb, int err) + { + const struct xfrm_mode *inner_mode; +@@ -826,8 +780,8 @@ static struct pernet_operations xfrmi_net_ops = { + }; + + static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = { +- .handler = xfrmi6_rcv, +- .input_handler = xfrmi6_input, ++ .handler = xfrm6_rcv, ++ .input_handler = xfrm_input, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi6_err, + .priority = 10, +@@ -877,8 +831,8 @@ static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = { + #endif + + static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = { +- .handler = xfrmi4_rcv, +- .input_handler = xfrmi4_input, ++ .handler = xfrm4_rcv, ++ .input_handler = xfrm_input, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi4_err, + .priority = 10, +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 8ebe305f6ddd7..2956854928537 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3704,9 +3704,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + goto reject; + } + +- if (if_id) +- secpath_reset(skb); +- + xfrm_pols_put(pols, npols); + return 1; + } +-- +2.39.2 + diff --git a/queue-5.10/scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch b/queue-5.10/scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch new file mode 100644 index 00000000000..1057925ba33 --- /dev/null +++ b/queue-5.10/scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch @@ -0,0 +1,65 @@ +From 661e94f67fec4aa2c2f7daa89e9d82a229355b20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 10:20:41 -0700 +Subject: scsi: storvsc: Don't pass unused PFNs to Hyper-V host + +From: Michael Kelley + +[ Upstream commit 4e81a6cba517cb33584308a331f14f5e3fec369b ] + +In a SCSI request, storvsc pre-allocates space for up to +MAX_PAGE_BUFFER_COUNT physical frame numbers to be passed to Hyper-V. If +the size of the I/O request requires more PFNs, a separate memory area of +exactly the correct size is dynamically allocated. + +But when the pre-allocated area is used, current code always passes +MAX_PAGE_BUFFER_COUNT PFNs to Hyper-V, even if fewer are needed. While +this doesn't break anything because the additional PFNs are always zero, +more bytes than necessary are copied into the VMBus channel ring buffer. +This takes CPU cycles and wastes space in the ring buffer. For a typical 4 +Kbyte I/O that requires only a single PFN, 248 unnecessary bytes are +copied. + +Fix this by setting the payload_sz based on the actual number of PFNs +required, not the size of the pre-allocated space. + +Reported-by: John Starks +Fixes: 8f43710543ef ("scsi: storvsc: Support PAGE_SIZE larger than 4K") +Signed-off-by: Michael Kelley +Link: https://lore.kernel.org/r/1684171241-16209-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/storvsc_drv.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index e38aebcabb26f..70b4868fe2f7d 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1756,7 +1756,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) + + length = scsi_bufflen(scmnd); + payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb; +- payload_sz = sizeof(cmd_request->mpb); ++ payload_sz = 0; + + if (sg_count) { + unsigned int hvpgoff = 0; +@@ -1764,10 +1764,10 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) + unsigned int hvpg_count = HVPFN_UP(offset_in_hvpg + length); + u64 hvpfn; + +- if (hvpg_count > MAX_PAGE_BUFFER_COUNT) { ++ payload_sz = (hvpg_count * sizeof(u64) + ++ sizeof(struct vmbus_packet_mpb_array)); + +- payload_sz = (hvpg_count * sizeof(u64) + +- sizeof(struct vmbus_packet_mpb_array)); ++ if (hvpg_count > MAX_PAGE_BUFFER_COUNT) { + payload = kzalloc(payload_sz, GFP_ATOMIC); + if (!payload) + return SCSI_MLQUEUE_DEVICE_BUSY; +-- +2.39.2 + diff --git a/queue-5.10/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch b/queue-5.10/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch new file mode 100644 index 00000000000..b02bbc72eba --- /dev/null +++ b/queue-5.10/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch @@ -0,0 +1,51 @@ +From 809f3560dd1f75d65b19598a5ed3da3af6dc85b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Apr 2023 11:16:36 +0800 +Subject: serial: arc_uart: fix of_iomap leak in `arc_serial_probe` + +From: Ke Zhang + +[ Upstream commit 8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd ] + +Smatch reports: + +drivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn: +'port->membase' from of_iomap() not released on lines: 631. + +In arc_serial_probe(), if uart_add_one_port() fails, +port->membase is not released, which would cause a resource leak. + +To fix this, I replace of_iomap with devm_platform_ioremap_resource. + +Fixes: 8dbe1d5e09a7 ("serial/arc: inline the probe helper") +Signed-off-by: Ke Zhang +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230428031636.44642-1-m202171830@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/arc_uart.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c +index 17c3fc398fc65..6f7a7d2dcf3aa 100644 +--- a/drivers/tty/serial/arc_uart.c ++++ b/drivers/tty/serial/arc_uart.c +@@ -609,10 +609,11 @@ static int arc_serial_probe(struct platform_device *pdev) + } + uart->baud = val; + +- port->membase = of_iomap(np, 0); +- if (!port->membase) ++ port->membase = devm_platform_ioremap_resource(pdev, 0); ++ if (IS_ERR(port->membase)) { + /* No point of dev_err since UART itself is hosed here */ +- return -ENXIO; ++ return PTR_ERR(port->membase); ++ } + + port->irq = irq_of_parse_and_map(np, 0); + +-- +2.39.2 + diff --git a/queue-5.10/series b/queue-5.10/series index b71d6883d52..4971621524f 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -84,3 +84,39 @@ mfd-dln2-fix-memory-leak-in-dln2_probe.patch btrfs-move-btrfs_find_highest_objectid-btrfs_find_fr.patch btrfs-replace-calls-to-btrfs_find_free_ino-with-btrf.patch btrfs-fix-space-cache-inconsistency-after-error-load.patch +xfrm-don-t-check-the-default-policy-if-the-policy-al.patch +revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch +drm-msm-dp-unregister-audio-driver-during-unbind.patch +drm-msm-dpu-remove-duplicate-register-defines-from-i.patch +cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch +af_key-reject-optional-tunnel-beet-mode-templates-in.patch +net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch +net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch +alsa-firewire-digi00x-prevent-potential-use-after-fr.patch +alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch +vsock-avoid-to-close-connected-socket-after-the-time.patch +ipv4-tcp-do-not-use-per-netns-ctl-sockets.patch +net-find-dst-with-sk-s-xfrm-policy-not-ctl_sk.patch +tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch +serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch +erspan-get-the-proto-with-the-md-version-for-collect.patch +net-hns3-fix-sending-pfc-frames-after-reset-issue.patch +net-hns3-fix-reset-delay-time-to-avoid-configuration.patch +media-netup_unidvb-fix-use-after-free-at-del_timer.patch +sunrpc-fix-trace_svc_register-call-site.patch +drm-exynos-fix-g2d_open-close-helper-function-defini.patch +net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch +net-tipc-fix-tipc-header-files-for-kernel-doc.patch +tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch +tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch +tipc-check-the-bearer-min-mtu-properly-when-setting-.patch +net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch +net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch +wifi-mac80211-fix-min-center-freq-offset-tracing.patch +wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch +scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch +cassini-fix-a-memory-leak-in-the-error-handling-path.patch +igb-fix-bit_shift-to-be-in-1.8-range.patch +vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch +netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch +bridge-always-declare-tunnel-functions.patch diff --git a/queue-5.10/sunrpc-fix-trace_svc_register-call-site.patch b/queue-5.10/sunrpc-fix-trace_svc_register-call-site.patch new file mode 100644 index 00000000000..70f9c3f6825 --- /dev/null +++ b/queue-5.10/sunrpc-fix-trace_svc_register-call-site.patch @@ -0,0 +1,35 @@ +From 4f099c3d1fe95f65c21cb1420c4cbc74b7d22534 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:51:48 -0400 +Subject: SUNRPC: Fix trace_svc_register() call site + +From: Chuck Lever + +[ Upstream commit 07a27305938559fb35f7a46fb90a5e37728bdee6 ] + +The trace event recorded incorrect values for the registered family, +protocol, and port because the arguments are in the wrong order. + +Fixes: b4af59328c25 ("SUNRPC: Trace server-side rpcbind registration events") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c +index af657a482ad2d..495ebe7fad6dd 100644 +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -995,7 +995,7 @@ static int __svc_register(struct net *net, const char *progname, + #endif + } + +- trace_svc_register(progname, version, protocol, port, family, error); ++ trace_svc_register(progname, version, family, protocol, port, error); + return error; + } + +-- +2.39.2 + diff --git a/queue-5.10/tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch b/queue-5.10/tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch new file mode 100644 index 00000000000..c831fd67c61 --- /dev/null +++ b/queue-5.10/tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch @@ -0,0 +1,62 @@ +From 48b2d29314059c158484b95900bd4af807dc8646 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 11:47:49 +0000 +Subject: tcp: fix possible sk_priority leak in tcp_v4_send_reset() + +From: Eric Dumazet + +[ Upstream commit 1e306ec49a1f206fd2cc89a42fac6e6f592a8cc1 ] + +When tcp_v4_send_reset() is called with @sk == NULL, +we do not change ctl_sk->sk_priority, which could have been +set from a prior invocation. + +Change tcp_v4_send_reset() to set sk_priority and sk_mark +fields before calling ip_send_unicast_reply(). + +This means tcp_v4_send_reset() and tcp_v4_send_ack() +no longer have to clear ctl_sk->sk_mark after +their call to ip_send_unicast_reply(). + +Fixes: f6c0f5d209fa ("tcp: honor SO_PRIORITY in TIME_WAIT state") +Signed-off-by: Eric Dumazet +Cc: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 1995d46afb214..270b20e0907c2 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -805,6 +805,9 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + inet_twsk(sk)->tw_priority : sk->sk_priority; + transmit_time = tcp_transmit_time(sk); + xfrm_sk_clone_policy(ctl_sk, sk); ++ } else { ++ ctl_sk->sk_mark = 0; ++ ctl_sk->sk_priority = 0; + } + ip_send_unicast_reply(ctl_sk, + skb, &TCP_SKB_CB(skb)->header.h4.opt, +@@ -812,7 +815,6 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + &arg, arg.iov[0].iov_len, + transmit_time); + +- ctl_sk->sk_mark = 0; + xfrm_sk_free_policy(ctl_sk); + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); +@@ -911,7 +913,6 @@ static void tcp_v4_send_ack(const struct sock *sk, + &arg, arg.iov[0].iov_len, + transmit_time); + +- ctl_sk->sk_mark = 0; + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); + local_bh_enable(); +-- +2.39.2 + diff --git a/queue-5.10/tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch b/queue-5.10/tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch new file mode 100644 index 00000000000..18a6ce31c12 --- /dev/null +++ b/queue-5.10/tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch @@ -0,0 +1,105 @@ +From 516672b5f06f66fdf22a01e660d88dc409cdce69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:52:27 -0400 +Subject: tipc: add tipc_bearer_min_mtu to calculate min mtu + +From: Xin Long + +[ Upstream commit 3ae6d66b605be604644d4bb5708a7ffd9cf1abe8 ] + +As different media may requires different min mtu, and even the +same media with different net family requires different min mtu, +add tipc_bearer_min_mtu() to calculate min mtu accordingly. + +This API will be used to check the new mtu when doing the link +mtu negotiation in the next patch. + +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Stable-dep-of: 56077b56cd3f ("tipc: do not update mtu if msg_max is too small in mtu negotiation") +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 13 +++++++++++++ + net/tipc/bearer.h | 3 +++ + net/tipc/udp_media.c | 5 +++-- + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 72c31ef985eb3..c6a9b3446ff89 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -525,6 +525,19 @@ int tipc_bearer_mtu(struct net *net, u32 bearer_id) + return mtu; + } + ++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id) ++{ ++ int mtu = TIPC_MIN_BEARER_MTU; ++ struct tipc_bearer *b; ++ ++ rcu_read_lock(); ++ b = bearer_get(net, bearer_id); ++ if (b) ++ mtu += b->encap_hlen; ++ rcu_read_unlock(); ++ return mtu; ++} ++ + /* tipc_bearer_xmit_skb - sends buffer to destination over bearer + */ + void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id, +diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h +index 6bf4550aa1ac1..711a50f449934 100644 +--- a/net/tipc/bearer.h ++++ b/net/tipc/bearer.h +@@ -146,6 +146,7 @@ struct tipc_media { + * @identity: array index of this bearer within TIPC bearer array + * @disc: ptr to link setup request + * @net_plane: network plane ('A' through 'H') currently associated with bearer ++ * @encap_hlen: encap headers length + * @up: bearer up flag (bit 0) + * @refcnt: tipc_bearer reference counter + * +@@ -170,6 +171,7 @@ struct tipc_bearer { + u32 identity; + struct tipc_discoverer *disc; + char net_plane; ++ u16 encap_hlen; + unsigned long up; + refcount_t refcnt; + }; +@@ -232,6 +234,7 @@ int tipc_bearer_setup(void); + void tipc_bearer_cleanup(void); + void tipc_bearer_stop(struct net *net); + int tipc_bearer_mtu(struct net *net, u32 bearer_id); ++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id); + bool tipc_bearer_bcast_support(struct net *net, u32 bearer_id); + void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id, + struct sk_buff *skb, +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index a236281082726..3e47501f024fd 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -730,8 +730,8 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b, + udp_conf.local_ip.s_addr = local.ipv4.s_addr; + udp_conf.use_udp_checksums = false; + ub->ifindex = dev->ifindex; +- if (tipc_mtu_bad(dev, sizeof(struct iphdr) + +- sizeof(struct udphdr))) { ++ b->encap_hlen = sizeof(struct iphdr) + sizeof(struct udphdr); ++ if (tipc_mtu_bad(dev, b->encap_hlen)) { + err = -EINVAL; + goto err; + } +@@ -752,6 +752,7 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b, + else + udp_conf.local_ip6 = local.ipv6; + ub->ifindex = dev->ifindex; ++ b->encap_hlen = sizeof(struct ipv6hdr) + sizeof(struct udphdr); + b->mtu = 1280; + #endif + } else { +-- +2.39.2 + diff --git a/queue-5.10/tipc-check-the-bearer-min-mtu-properly-when-setting-.patch b/queue-5.10/tipc-check-the-bearer-min-mtu-properly-when-setting-.patch new file mode 100644 index 00000000000..d4f63bb1549 --- /dev/null +++ b/queue-5.10/tipc-check-the-bearer-min-mtu-properly-when-setting-.patch @@ -0,0 +1,45 @@ +From 04a7b319a7cd0e8b342aea5714ff77fa105f356b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:52:29 -0400 +Subject: tipc: check the bearer min mtu properly when setting it by netlink + +From: Xin Long + +[ Upstream commit 35a089b5d793d2bfd2cc7cfa6104545184de2ce7 ] + +Checking the bearer min mtu with tipc_udp_mtu_bad() only works for +IPv4 UDP bearer, and IPv6 UDP bearer has a different value for the +min mtu. This patch checks with encap_hlen + TIPC_MIN_BEARER_MTU +for min mtu, which works for both IPv4 and IPv6 UDP bearer. + +Note that tipc_udp_mtu_bad() is still used to check media min mtu +in __tipc_nl_media_set(), as m->mtu currently is only used by the +IPv4 UDP bearer as its default mtu value. + +Fixes: 682cd3cf946b ("tipc: confgiure and apply UDP bearer MTU on running links") +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index c6a9b3446ff89..91e678fa3feb5 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -1135,8 +1135,8 @@ int __tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info) + return -EINVAL; + } + #ifdef CONFIG_TIPC_MEDIA_UDP +- if (tipc_udp_mtu_bad(nla_get_u32 +- (props[TIPC_NLA_PROP_MTU]))) { ++ if (nla_get_u32(props[TIPC_NLA_PROP_MTU]) < ++ b->encap_hlen + TIPC_MIN_BEARER_MTU) { + NL_SET_ERR_MSG(info->extack, + "MTU value is out-of-range"); + return -EINVAL; +-- +2.39.2 + diff --git a/queue-5.10/tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch b/queue-5.10/tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch new file mode 100644 index 00000000000..a80ad5bfce5 --- /dev/null +++ b/queue-5.10/tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch @@ -0,0 +1,92 @@ +From b9de7dda19caf1946d81384acabc2e46b6aa2017 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:52:28 -0400 +Subject: tipc: do not update mtu if msg_max is too small in mtu negotiation + +From: Xin Long + +[ Upstream commit 56077b56cd3fb78e1c8619e29581ba25a5c55e86 ] + +When doing link mtu negotiation, a malicious peer may send Activate msg +with a very small mtu, e.g. 4 in Shuang's testing, without checking for +the minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then +n->links[bearer_id].mtu is set to 4294967228, which is a overflow of +'4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss(). + +With tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning: + + tipc: Too large msg, purging xmit list 1 5 0 40 4! + tipc: Too large msg, purging xmit list 1 15 0 60 4! + +And with tipc_link_entry.mtu 4294967228, a huge skb was allocated in +named_distribute(), and when purging it in tipc_link_xmit(), a crash +was even caused: + + general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI + CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19 + RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0 + Call Trace: + + skb_release_data+0xf9/0x1d0 + kfree_skb_reason+0x40/0x100 + tipc_link_xmit+0x57a/0x740 [tipc] + tipc_node_xmit+0x16c/0x5c0 [tipc] + tipc_named_node_up+0x27f/0x2c0 [tipc] + tipc_node_write_unlock+0x149/0x170 [tipc] + tipc_rcv+0x608/0x740 [tipc] + tipc_udp_recv+0xdc/0x1f0 [tipc] + udp_queue_rcv_one_skb+0x33e/0x620 + udp_unicast_rcv_skb.isra.72+0x75/0x90 + __udp4_lib_rcv+0x56d/0xc20 + ip_protocol_deliver_rcu+0x100/0x2d0 + +This patch fixes it by checking the new mtu against tipc_bearer_min_mtu(), +and not updating mtu if it is too small. + +Fixes: ed193ece2649 ("tipc: simplify link mtu negotiation") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/link.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/link.c b/net/tipc/link.c +index c1e56d1f21b38..dbb1bc722ba9b 100644 +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -2164,7 +2164,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + struct tipc_msg *hdr = buf_msg(skb); + struct tipc_gap_ack_blks *ga = NULL; + bool reply = msg_probe(hdr), retransmitted = false; +- u32 dlen = msg_data_sz(hdr), glen = 0; ++ u32 dlen = msg_data_sz(hdr), glen = 0, msg_max; + u16 peers_snd_nxt = msg_next_sent(hdr); + u16 peers_tol = msg_link_tolerance(hdr); + u16 peers_prio = msg_linkprio(hdr); +@@ -2203,6 +2203,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + switch (mtyp) { + case RESET_MSG: + case ACTIVATE_MSG: ++ msg_max = msg_max_pkt(hdr); ++ if (msg_max < tipc_bearer_min_mtu(l->net, l->bearer_id)) ++ break; + /* Complete own link name with peer's interface name */ + if_name = strrchr(l->name, ':') + 1; + if (sizeof(l->name) - (if_name - l->name) <= TIPC_MAX_IF_NAME) +@@ -2247,8 +2250,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + l->peer_session = msg_session(hdr); + l->in_session = true; + l->peer_bearer_id = msg_bearer_id(hdr); +- if (l->mtu > msg_max_pkt(hdr)) +- l->mtu = msg_max_pkt(hdr); ++ if (l->mtu > msg_max) ++ l->mtu = msg_max; + break; + + case STATE_MSG: +-- +2.39.2 + diff --git a/queue-5.10/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch b/queue-5.10/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch new file mode 100644 index 00000000000..a33234a4aa0 --- /dev/null +++ b/queue-5.10/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch @@ -0,0 +1,93 @@ +From a36e4bafefddffa1852f00835ebca58bd82f8c8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 14:23:42 +0000 +Subject: vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() + +From: Eric Dumazet + +[ Upstream commit dacab578c7c6cd06c50c89dfa36b0e0f10decd4e ] + +syzbot triggered the following splat [1], sending an empty message +through pppoe_sendmsg(). + +When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header() +does not push extra bytes for the VLAN header, because vlan is offloaded. + +Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto +before testing (vlan->flags & VLAN_FLAG_REORDER_HDR). + +We need to swap the two conditions. + +[1] +BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +__netdev_start_xmit include/linux/netdevice.h:4883 [inline] +netdev_start_xmit include/linux/netdevice.h:4897 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596 +__dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3053 [inline] +pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774 +slab_alloc_node mm/slub.c:3452 [inline] +kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497 +kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520 +__alloc_skb+0x3a7/0x850 net/core/skbuff.c:606 +alloc_skb include/linux/skbuff.h:1277 [inline] +sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583 +pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index 929f85c6cf112..8edac9307868a 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -108,8 +108,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb, + * NOTE: THIS ASSUMES DIX ETHERNET, SPECIFICALLY NOT SUPPORTING + * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs... + */ +- if (veth->h_vlan_proto != vlan->vlan_proto || +- vlan->flags & VLAN_FLAG_REORDER_HDR) { ++ if (vlan->flags & VLAN_FLAG_REORDER_HDR || ++ veth->h_vlan_proto != vlan->vlan_proto) { + u16 vlan_tci; + vlan_tci = vlan->vlan_id; + vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb->priority); +-- +2.39.2 + diff --git a/queue-5.10/vsock-avoid-to-close-connected-socket-after-the-time.patch b/queue-5.10/vsock-avoid-to-close-connected-socket-after-the-time.patch new file mode 100644 index 00000000000..5692f824f92 --- /dev/null +++ b/queue-5.10/vsock-avoid-to-close-connected-socket-after-the-time.patch @@ -0,0 +1,54 @@ +From 2ad8dafab4b6b0b9356cb1635e4faf10273635eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 19:34:30 +0800 +Subject: vsock: avoid to close connected socket after the timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhuang Shengen + +[ Upstream commit 6d4486efe9c69626cab423456169e250a5cd3af5 ] + +When client and server establish a connection through vsock, +the client send a request to the server to initiate the connection, +then start a timer to wait for the server's response. When the server's +RESPONSE message arrives, the timer also times out and exits. The +server's RESPONSE message is processed first, and the connection is +established. However, the client's timer also times out, the original +processing logic of the client is to directly set the state of this vsock +to CLOSE and return ETIMEDOUT. It will not notify the server when the port +is released, causing the server port remain. +when client's vsock_connect timeout,it should check sk state is +ESTABLISHED or not. if sk state is ESTABLISHED, it means the connection +is established, the client should not set the sk state to CLOSE + +Note: I encountered this issue on kernel-4.18, which can be fixed by +this patch. Then I checked the latest code in the community +and found similar issue. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Zhuang Shengen +Reviewed-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 7829a5018ef9f..ce14374bbacad 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1372,7 +1372,7 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + vsock_transport_cancel_pkt(vsk); + vsock_remove_connected(vsk); + goto out_wait; +- } else if (timeout == 0) { ++ } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { + err = -ETIMEDOUT; + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; +-- +2.39.2 + diff --git a/queue-5.10/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch b/queue-5.10/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch new file mode 100644 index 00000000000..c962e6863bb --- /dev/null +++ b/queue-5.10/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch @@ -0,0 +1,60 @@ +From 7529b2dba76abd9757e354f57a3fac5ef549e1e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 12:15:53 +0300 +Subject: wifi: iwlwifi: mvm: don't trust firmware n_channels + +From: Johannes Berg + +[ Upstream commit 682b6dc29d98e857e6ca4bbc077c7dc2899b7473 ] + +If the firmware sends us a corrupted MCC response with +n_channels much larger than the command response can be, +we might copy far too much (uninitialized) memory and +even crash if the n_channels is large enough to make it +run out of the one page allocated for the FW response. + +Fix that by checking the lengths. Doing a < comparison +would be sufficient, but the firmware should be doing +it correctly, so check more strictly. + +Fixes: dcaf9f5ecb6f ("iwlwifi: mvm: add MCC update FW API") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.d7b233139eb4.I51fd319df8e9d41881fc8450e83d78049518a79a@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +index 60296a754af26..34be3f75c2e96 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +@@ -502,6 +502,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2, + struct iwl_mcc_update_resp *mcc_resp = (void *)pkt->data; + + n_channels = __le32_to_cpu(mcc_resp->n_channels); ++ if (iwl_rx_packet_payload_len(pkt) != ++ struct_size(mcc_resp, channels, n_channels)) { ++ resp_cp = ERR_PTR(-EINVAL); ++ goto exit; ++ } + resp_len = sizeof(struct iwl_mcc_update_resp) + + n_channels * sizeof(__le32); + resp_cp = kmemdup(mcc_resp, resp_len, GFP_KERNEL); +@@ -513,6 +518,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2, + struct iwl_mcc_update_resp_v3 *mcc_resp_v3 = (void *)pkt->data; + + n_channels = __le32_to_cpu(mcc_resp_v3->n_channels); ++ if (iwl_rx_packet_payload_len(pkt) != ++ struct_size(mcc_resp_v3, channels, n_channels)) { ++ resp_cp = ERR_PTR(-EINVAL); ++ goto exit; ++ } + resp_len = sizeof(struct iwl_mcc_update_resp) + + n_channels * sizeof(__le32); + resp_cp = kzalloc(resp_len, GFP_KERNEL); +-- +2.39.2 + diff --git a/queue-5.10/wifi-mac80211-fix-min-center-freq-offset-tracing.patch b/queue-5.10/wifi-mac80211-fix-min-center-freq-offset-tracing.patch new file mode 100644 index 00000000000..0bf188308dc --- /dev/null +++ b/queue-5.10/wifi-mac80211-fix-min-center-freq-offset-tracing.patch @@ -0,0 +1,39 @@ +From f22ee56f123ee4156531f5ff7aca304301f60546 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:45:01 +0300 +Subject: wifi: mac80211: fix min center freq offset tracing + +From: Johannes Berg + +[ Upstream commit 248e4776514bf70236e6b1a54c65aa5324c8b1eb ] + +We need to set the correct trace variable, otherwise we're +overwriting something else instead and the right one that +we print later is not initialized. + +Fixes: b6011960f392 ("mac80211: handle channel frequency offset") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230504134511.828474-2-gregory.greenman@intel.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h +index 89723907a0945..5ddaa7c824773 100644 +--- a/net/mac80211/trace.h ++++ b/net/mac80211/trace.h +@@ -67,7 +67,7 @@ + __entry->min_freq_offset = (c)->chan ? (c)->chan->freq_offset : 0; \ + __entry->min_chan_width = (c)->width; \ + __entry->min_center_freq1 = (c)->center_freq1; \ +- __entry->freq1_offset = (c)->freq1_offset; \ ++ __entry->min_freq1_offset = (c)->freq1_offset; \ + __entry->min_center_freq2 = (c)->center_freq2; + #define MIN_CHANDEF_PR_FMT " min_control:%d.%03d MHz min_width:%d min_center: %d.%03d/%d MHz" + #define MIN_CHANDEF_PR_ARG __entry->min_control_freq, __entry->min_freq_offset, \ +-- +2.39.2 + diff --git a/queue-5.10/xfrm-don-t-check-the-default-policy-if-the-policy-al.patch b/queue-5.10/xfrm-don-t-check-the-default-policy-if-the-policy-al.patch new file mode 100644 index 00000000000..9eb285aee83 --- /dev/null +++ b/queue-5.10/xfrm-don-t-check-the-default-policy-if-the-policy-al.patch @@ -0,0 +1,49 @@ +From 2005cad7067748a15bfbc13b88d61800b7c294a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 15:12:16 +0200 +Subject: xfrm: don't check the default policy if the policy allows the packet + +From: Sabrina Dubroca + +[ Upstream commit 430cac487400494c19a8b85299e979bb07b4671f ] + +The current code doesn't let a simple "allow" policy counteract a +default policy blocking all incoming packets: + + ip x p setdefault in block + ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow + +At this stage, we have an allow policy (with or without transforms) +for this packet. It doesn't matter what the default policy says, since +the policy we looked up lets the packet through. The case of a +blocking policy is already handled separately, so we can remove this +check. + +Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index d15aa62887de0..8ebe305f6ddd7 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3677,12 +3677,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + } + xfrm_nr = ti; + +- if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK && +- !xfrm_nr) { +- XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES); +- goto reject; +- } +- + if (npols > 1) { + xfrm_tmpl_sort(stp, tpp, xfrm_nr, family); + tpp = stp; +-- +2.39.2 + -- 2.47.3