From 6c111f208ef05b7946119c2331a3d3aee399e152 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 20 Dec 2024 09:38:59 -0500 Subject: [PATCH] Fixes for 6.6 Signed-off-by: Sasha Levin --- ...ntial-bogus-return-value-upon-succes.patch | 40 +++ ...egion-creation-for-greater-than-x2-s.patch | 153 ++++++++++++ ...etdev-notifier-unregister-on-failure.patch | 43 ++++ ...-ee-offset-when-returning-sprom-data.patch | 42 ++++ ...f-ip_vs_conn_tab-on-small-memory-sys.patch | 58 +++++ ...-all-requests-in-req_running-counter.patch | 54 +++++ ...-transfers-when-exceeding-max-simult.patch | 177 ++++++++++++++ ...ac-platform-fix-an-of-node-reference.patch | 51 ++++ ...inic-fix-cleanup-in-create_rxqs-txqs.patch | 54 +++++ ...diobus-fix-an-of-node-reference-leak.patch | 61 +++++ ...fix-incorrect-ifh-src_port-field-in-.patch | 73 ++++++ ...as-rswitch-rework-ts-tags-management.patch | 229 ++++++++++++++++++ ...area_offset-and-ipv6_prefixes_cnt-wh.patch | 90 +++++++ ...turn-value-of-sock_recvmsg-when-drai.patch | 47 ++++ ...cd_v2_ext_offset-when-receiving-prop.patch | 64 +++++ ...dbuf_space-again-after-nospace-flag-.patch | 63 +++++ ..._ext_offset-eid_cnt-ism_gid_cnt-when.patch | 94 +++++++ ...link-down-work-from-execute-after-lg.patch | 89 +++++++ ...t-bad-user-input-in-nsim_dev_health_.patch | 40 +++ ...et-fix-for-recursive-locking-warning.patch | 62 +++++ ...ts-openvswitch-fix-tcpdump-execution.patch | 48 ++++ queue-6.6/series | 22 ++ ...permissions-of-networkmanager-config.patch | 40 +++ 23 files changed, 1694 insertions(+) create mode 100644 queue-6.6/cxl-pci-fix-potential-bogus-return-value-upon-succes.patch create mode 100644 queue-6.6/cxl-region-fix-region-creation-for-greater-than-x2-s.patch create mode 100644 queue-6.6/ionic-fix-netdev-notifier-unregister-on-failure.patch create mode 100644 queue-6.6/ionic-use-ee-offset-when-returning-sprom-data.patch create mode 100644 queue-6.6/ipvs-fix-clamp-of-ip_vs_conn_tab-on-small-memory-sys.patch create mode 100644 queue-6.6/ksmbd-count-all-requests-in-req_running-counter.patch create mode 100644 queue-6.6/ksmbd-fix-broken-transfers-when-exceeding-max-simult.patch create mode 100644 queue-6.6/net-ethernet-bgmac-platform-fix-an-of-node-reference.patch create mode 100644 queue-6.6/net-hinic-fix-cleanup-in-create_rxqs-txqs.patch create mode 100644 queue-6.6/net-mdiobus-fix-an-of-node-reference-leak.patch create mode 100644 queue-6.6/net-mscc-ocelot-fix-incorrect-ifh-src_port-field-in-.patch create mode 100644 queue-6.6/net-renesas-rswitch-rework-ts-tags-management.patch create mode 100644 queue-6.6/net-smc-check-iparea_offset-and-ipv6_prefixes_cnt-wh.patch create mode 100644 queue-6.6/net-smc-check-return-value-of-sock_recvmsg-when-drai.patch create mode 100644 queue-6.6/net-smc-check-smcd_v2_ext_offset-when-receiving-prop.patch create mode 100644 queue-6.6/net-smc-check-sndbuf_space-again-after-nospace-flag-.patch create mode 100644 queue-6.6/net-smc-check-v2_ext_offset-eid_cnt-ism_gid_cnt-when.patch create mode 100644 queue-6.6/net-smc-protect-link-down-work-from-execute-after-lg.patch create mode 100644 queue-6.6/netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch create mode 100644 queue-6.6/netfilter-ipset-fix-for-recursive-locking-warning.patch create mode 100644 queue-6.6/selftests-openvswitch-fix-tcpdump-execution.patch create mode 100644 queue-6.6/tools-hv-change-permissions-of-networkmanager-config.patch diff --git a/queue-6.6/cxl-pci-fix-potential-bogus-return-value-upon-succes.patch b/queue-6.6/cxl-pci-fix-potential-bogus-return-value-upon-succes.patch new file mode 100644 index 00000000000..1b3b1fe4d4b --- /dev/null +++ b/queue-6.6/cxl-pci-fix-potential-bogus-return-value-upon-succes.patch @@ -0,0 +1,40 @@ +From ac10408efdc8891781765a29cae1c7c121436e22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 09:00:32 -0800 +Subject: cxl/pci: Fix potential bogus return value upon successful probing + +From: Davidlohr Bueso + +[ Upstream commit da4d8c83358163df9a4addaeba0ef8bcb03b22e8 ] + +If cxl_pci_ras_unmask() returns non-zero, cxl_pci_probe() will end up +returning that value, instead of zero. + +Fixes: 248529edc86f ("cxl: add RAS status unmasking for CXL") +Reviewed-by: Fan Ni +Signed-off-by: Davidlohr Bueso +Reviewed-by: Ira Weiny +Link: https://patch.msgid.link/20241115170032.108445-1-dave@stgolabs.net +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/cxl/pci.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/cxl/pci.c b/drivers/cxl/pci.c +index 8bece1e2e249..aacd93f9067d 100644 +--- a/drivers/cxl/pci.c ++++ b/drivers/cxl/pci.c +@@ -911,8 +911,7 @@ static int cxl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + if (rc) + return rc; + +- rc = cxl_pci_ras_unmask(pdev); +- if (rc) ++ if (cxl_pci_ras_unmask(pdev)) + dev_dbg(&pdev->dev, "No RAS reporting unmasked\n"); + + pci_save_state(pdev); +-- +2.39.5 + diff --git a/queue-6.6/cxl-region-fix-region-creation-for-greater-than-x2-s.patch b/queue-6.6/cxl-region-fix-region-creation-for-greater-than-x2-s.patch new file mode 100644 index 00000000000..aebb81a5e65 --- /dev/null +++ b/queue-6.6/cxl-region-fix-region-creation-for-greater-than-x2-s.patch @@ -0,0 +1,153 @@ +From 9a183cebac00374e4ce1cf167cdeda19fda2318b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 15:33:02 -0800 +Subject: cxl/region: Fix region creation for greater than x2 switches + +From: Huaisheng Ye + +[ Upstream commit 76467a94810c2aa4dd3096903291ac6df30c399e ] + +The cxl_port_setup_targets() algorithm fails to identify valid target list +ordering in the presence of 4-way and above switches resulting in +'cxl create-region' failures of the form: + + $ cxl create-region -d decoder0.0 -g 1024 -s 2G -t ram -w 8 -m mem4 mem1 mem6 mem3 mem2 mem5 mem7 mem0 + cxl region: create_region: region0: failed to set target7 to mem0 + cxl region: cmd_create_region: created 0 regions + + [kernel debug message] + check_last_peer:1213: cxl region0: pci0000:0c:port1: cannot host mem6:decoder7.0 at 2 + bus_remove_device:574: bus: 'cxl': remove device region0 + +QEMU can create this failing topology: + + ACPI0017:00 [root0] + | + HB_0 [port1] + / \ + RP_0 RP_1 + | | + USP [port2] USP [port3] + / / \ \ / / \ \ + DSP DSP DSP DSP DSP DSP DSP DSP + | | | | | | | | + mem4 mem6 mem2 mem7 mem1 mem3 mem5 mem0 + Pos: 0 2 4 6 1 3 5 7 + + HB: Host Bridge + RP: Root Port + USP: Upstream Port + DSP: Downstream Port + +...with the following command steps: + +$ qemu-system-x86_64 -machine q35,cxl=on,accel=tcg \ + -smp cpus=8 \ + -m 8G \ + -hda /home/work/vm-images/centos-stream8-02.qcow2 \ + -object memory-backend-ram,size=4G,id=m0 \ + -object memory-backend-ram,size=4G,id=m1 \ + -object memory-backend-ram,size=2G,id=cxl-mem0 \ + -object memory-backend-ram,size=2G,id=cxl-mem1 \ + -object memory-backend-ram,size=2G,id=cxl-mem2 \ + -object memory-backend-ram,size=2G,id=cxl-mem3 \ + -object memory-backend-ram,size=2G,id=cxl-mem4 \ + -object memory-backend-ram,size=2G,id=cxl-mem5 \ + -object memory-backend-ram,size=2G,id=cxl-mem6 \ + -object memory-backend-ram,size=2G,id=cxl-mem7 \ + -numa node,memdev=m0,cpus=0-3,nodeid=0 \ + -numa node,memdev=m1,cpus=4-7,nodeid=1 \ + -netdev user,id=net0,hostfwd=tcp::2222-:22 \ + -device virtio-net-pci,netdev=net0 \ + -device pxb-cxl,bus_nr=12,bus=pcie.0,id=cxl.1 \ + -device cxl-rp,port=0,bus=cxl.1,id=root_port0,chassis=0,slot=0 \ + -device cxl-rp,port=1,bus=cxl.1,id=root_port1,chassis=0,slot=1 \ + -device cxl-upstream,bus=root_port0,id=us0 \ + -device cxl-downstream,port=0,bus=us0,id=swport0,chassis=0,slot=4 \ + -device cxl-type3,bus=swport0,volatile-memdev=cxl-mem0,id=cxl-vmem0 \ + -device cxl-downstream,port=1,bus=us0,id=swport1,chassis=0,slot=5 \ + -device cxl-type3,bus=swport1,volatile-memdev=cxl-mem1,id=cxl-vmem1 \ + -device cxl-downstream,port=2,bus=us0,id=swport2,chassis=0,slot=6 \ + -device cxl-type3,bus=swport2,volatile-memdev=cxl-mem2,id=cxl-vmem2 \ + -device cxl-downstream,port=3,bus=us0,id=swport3,chassis=0,slot=7 \ + -device cxl-type3,bus=swport3,volatile-memdev=cxl-mem3,id=cxl-vmem3 \ + -device cxl-upstream,bus=root_port1,id=us1 \ + -device cxl-downstream,port=4,bus=us1,id=swport4,chassis=0,slot=8 \ + -device cxl-type3,bus=swport4,volatile-memdev=cxl-mem4,id=cxl-vmem4 \ + -device cxl-downstream,port=5,bus=us1,id=swport5,chassis=0,slot=9 \ + -device cxl-type3,bus=swport5,volatile-memdev=cxl-mem5,id=cxl-vmem5 \ + -device cxl-downstream,port=6,bus=us1,id=swport6,chassis=0,slot=10 \ + -device cxl-type3,bus=swport6,volatile-memdev=cxl-mem6,id=cxl-vmem6 \ + -device cxl-downstream,port=7,bus=us1,id=swport7,chassis=0,slot=11 \ + -device cxl-type3,bus=swport7,volatile-memdev=cxl-mem7,id=cxl-vmem7 \ + -M cxl-fmw.0.targets.0=cxl.1,cxl-fmw.0.size=32G & + +In Guest OS: +$ cxl create-region -d decoder0.0 -g 1024 -s 2G -t ram -w 8 -m mem4 mem1 mem6 mem3 mem2 mem5 mem7 mem0 + +Fix the method to calculate @distance by iterativeley multiplying the +number of targets per switch port. This also follows the algorithm +recommended here [1]. + +Fixes: 27b3f8d13830 ("cxl/region: Program target lists") +Link: http://lore.kernel.org/6538824b52349_7258329466@dwillia2-xfh.jf.intel.com.notmuch [1] +Signed-off-by: Huaisheng Ye +Tested-by: Li Zhijian +[djbw: add a comment explaining 'distance'] +Signed-off-by: Dan Williams +Link: https://patch.msgid.link/173378716722.1270362.9546805175813426729.stgit@dwillia2-xfh.jf.intel.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/region.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c +index 7a9357f42dad..d7f7f88009d7 100644 +--- a/drivers/cxl/core/region.c ++++ b/drivers/cxl/core/region.c +@@ -1167,6 +1167,7 @@ static int cxl_port_setup_targets(struct cxl_port *port, + struct cxl_region_params *p = &cxlr->params; + struct cxl_decoder *cxld = cxl_rr->decoder; + struct cxl_switch_decoder *cxlsd; ++ struct cxl_port *iter = port; + u16 eig, peig; + u8 eiw, peiw; + +@@ -1183,16 +1184,26 @@ static int cxl_port_setup_targets(struct cxl_port *port, + + cxlsd = to_cxl_switch_decoder(&cxld->dev); + if (cxl_rr->nr_targets_set) { +- int i, distance; ++ int i, distance = 1; ++ struct cxl_region_ref *cxl_rr_iter; + + /* +- * Passthrough decoders impose no distance requirements between +- * peers ++ * The "distance" between peer downstream ports represents which ++ * endpoint positions in the region interleave a given port can ++ * host. ++ * ++ * For example, at the root of a hierarchy the distance is ++ * always 1 as every index targets a different host-bridge. At ++ * each subsequent switch level those ports map every Nth region ++ * position where N is the width of the switch == distance. + */ +- if (cxl_rr->nr_targets == 1) +- distance = 0; +- else +- distance = p->nr_targets / cxl_rr->nr_targets; ++ do { ++ cxl_rr_iter = cxl_rr_load(iter, cxlr); ++ distance *= cxl_rr_iter->nr_targets; ++ iter = to_cxl_port(iter->dev.parent); ++ } while (!is_cxl_root(iter)); ++ distance *= cxlrd->cxlsd.cxld.interleave_ways; ++ + for (i = 0; i < cxl_rr->nr_targets_set; i++) + if (ep->dport == cxlsd->target[i]) { + rc = check_last_peer(cxled, ep, cxl_rr, +-- +2.39.5 + diff --git a/queue-6.6/ionic-fix-netdev-notifier-unregister-on-failure.patch b/queue-6.6/ionic-fix-netdev-notifier-unregister-on-failure.patch new file mode 100644 index 00000000000..8ffcf594589 --- /dev/null +++ b/queue-6.6/ionic-fix-netdev-notifier-unregister-on-failure.patch @@ -0,0 +1,43 @@ +From 8226432dd035927c05efd2a616a9e9c9fd581a89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 13:31:55 -0800 +Subject: ionic: Fix netdev notifier unregister on failure + +From: Brett Creeley + +[ Upstream commit 9590d32e090ea2751e131ae5273859ca22f5ac14 ] + +If register_netdev() fails, then the driver leaks the netdev notifier. +Fix this by calling ionic_lif_unregister() on register_netdev() +failure. This will also call ionic_lif_unregister_phc() if it has +already been registered. + +Fixes: 30b87ab4c0b3 ("ionic: remove lif list concept") +Signed-off-by: Brett Creeley +Signed-off-by: Shannon Nelson +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20241212213157.12212-2-shannon.nelson@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 9d724d228b83..bc7c5cd38596 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -3736,8 +3736,8 @@ int ionic_lif_register(struct ionic_lif *lif) + /* only register LIF0 for now */ + err = register_netdev(lif->netdev); + if (err) { +- dev_err(lif->ionic->dev, "Cannot register net device, aborting\n"); +- ionic_lif_unregister_phc(lif); ++ dev_err(lif->ionic->dev, "Cannot register net device: %d, aborting\n", err); ++ ionic_lif_unregister(lif); + return err; + } + +-- +2.39.5 + diff --git a/queue-6.6/ionic-use-ee-offset-when-returning-sprom-data.patch b/queue-6.6/ionic-use-ee-offset-when-returning-sprom-data.patch new file mode 100644 index 00000000000..c1af455f154 --- /dev/null +++ b/queue-6.6/ionic-use-ee-offset-when-returning-sprom-data.patch @@ -0,0 +1,42 @@ +From 090fdeae6286e89d03e48c7808bb7b73807a7477 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 13:31:57 -0800 +Subject: ionic: use ee->offset when returning sprom data + +From: Shannon Nelson + +[ Upstream commit b096d62ba1323391b2db98b7704e2468cf3b1588 ] + +Some calls into ionic_get_module_eeprom() don't use a single +full buffer size, but instead multiple calls with an offset. +Teach our driver to use the offset correctly so we can +respond appropriately to the caller. + +Fixes: 4d03e00a2140 ("ionic: Add initial ethtool support") +Signed-off-by: Shannon Nelson +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20241212213157.12212-4-shannon.nelson@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c +index 35829a2851fa..d76e63f57ff1 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c +@@ -945,8 +945,8 @@ static int ionic_get_module_eeprom(struct net_device *netdev, + len = min_t(u32, sizeof(xcvr->sprom), ee->len); + + do { +- memcpy(data, xcvr->sprom, len); +- memcpy(tbuf, xcvr->sprom, len); ++ memcpy(data, &xcvr->sprom[ee->offset], len); ++ memcpy(tbuf, &xcvr->sprom[ee->offset], len); + + /* Let's make sure we got a consistent copy */ + if (!memcmp(data, tbuf, len)) +-- +2.39.5 + diff --git a/queue-6.6/ipvs-fix-clamp-of-ip_vs_conn_tab-on-small-memory-sys.patch b/queue-6.6/ipvs-fix-clamp-of-ip_vs_conn_tab-on-small-memory-sys.patch new file mode 100644 index 00000000000..55034d86ae7 --- /dev/null +++ b/queue-6.6/ipvs-fix-clamp-of-ip_vs_conn_tab-on-small-memory-sys.patch @@ -0,0 +1,58 @@ +From 711d2407225b7e562d6d78513aaf55146fcc3c03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Dec 2024 17:30:53 +0000 +Subject: ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems + +From: David Laight + +[ Upstream commit cf2c97423a4f89c8b798294d3f34ecfe7e7035c3 ] + +The 'max_avail' value is calculated from the system memory +size using order_base_2(). +order_base_2(x) is defined as '(x) ? fn(x) : 0'. +The compiler generates two copies of the code that follows +and then expands clamp(max, min, PAGE_SHIFT - 12) (11 on 32bit). +This triggers a compile-time assert since min is 5. + +In reality a system would have to have less than 512MB memory +for the bounds passed to clamp to be reversed. + +Swap the order of the arguments to clamp() to avoid the warning. + +Replace the clamp_val() on the line below with clamp(). +clamp_val() is just 'an accident waiting to happen' and not needed here. + +Detected by compile time checks added to clamp(), specifically: +minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() + +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/all/CA+G9fYsT34UkGFKxus63H6UVpYi5GRZkezT9MRLfAbM3f6ke0g@mail.gmail.com/ +Fixes: 4f325e26277b ("ipvs: dynamically limit the connection hash table") +Tested-by: Bartosz Golaszewski +Reviewed-by: Bartosz Golaszewski +Signed-off-by: David Laight +Acked-by: Julian Anastasov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_conn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c +index 9065da3cdd12..8182833a3582 100644 +--- a/net/netfilter/ipvs/ip_vs_conn.c ++++ b/net/netfilter/ipvs/ip_vs_conn.c +@@ -1494,8 +1494,8 @@ int __init ip_vs_conn_init(void) + max_avail -= 2; /* ~4 in hash row */ + max_avail -= 1; /* IPVS up to 1/2 of mem */ + max_avail -= order_base_2(sizeof(struct ip_vs_conn)); +- max = clamp(max, min, max_avail); +- ip_vs_conn_tab_bits = clamp_val(ip_vs_conn_tab_bits, min, max); ++ max = clamp(max_avail, min, max); ++ ip_vs_conn_tab_bits = clamp(ip_vs_conn_tab_bits, min, max); + ip_vs_conn_tab_size = 1 << ip_vs_conn_tab_bits; + ip_vs_conn_tab_mask = ip_vs_conn_tab_size - 1; + +-- +2.39.5 + diff --git a/queue-6.6/ksmbd-count-all-requests-in-req_running-counter.patch b/queue-6.6/ksmbd-count-all-requests-in-req_running-counter.patch new file mode 100644 index 00000000000..9bebafec138 --- /dev/null +++ b/queue-6.6/ksmbd-count-all-requests-in-req_running-counter.patch @@ -0,0 +1,54 @@ +From f8e15dfc5f0590d657fbbe1821a05bcde0c15f8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Dec 2024 12:16:45 +0900 +Subject: ksmbd: count all requests in req_running counter + +From: Marios Makassikis + +[ Upstream commit 83c47d9e0ce79b5d7c0b21b9f35402dbde0fa15c ] + +This changes the semantics of req_running to count all in-flight +requests on a given connection, rather than the number of elements +in the conn->request list. The latter is used only in smb2_cancel, +and the counter is not used + +Signed-off-by: Marios Makassikis +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Stable-dep-of: 43fb7bce8866 ("ksmbd: fix broken transfers when exceeding max simultaneous operations") +Signed-off-by: Sasha Levin +--- + fs/smb/server/connection.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c +index a751793c4512..5ded9372b2fb 100644 +--- a/fs/smb/server/connection.c ++++ b/fs/smb/server/connection.c +@@ -120,8 +120,8 @@ void ksmbd_conn_enqueue_request(struct ksmbd_work *work) + if (conn->ops->get_cmd_val(work) != SMB2_CANCEL_HE) + requests_queue = &conn->requests; + ++ atomic_inc(&conn->req_running); + if (requests_queue) { +- atomic_inc(&conn->req_running); + spin_lock(&conn->request_lock); + list_add_tail(&work->request_entry, requests_queue); + spin_unlock(&conn->request_lock); +@@ -132,11 +132,12 @@ void ksmbd_conn_try_dequeue_request(struct ksmbd_work *work) + { + struct ksmbd_conn *conn = work->conn; + ++ atomic_dec(&conn->req_running); ++ + if (list_empty(&work->request_entry) && + list_empty(&work->async_request_entry)) + return; + +- atomic_dec(&conn->req_running); + spin_lock(&conn->request_lock); + list_del_init(&work->request_entry); + spin_unlock(&conn->request_lock); +-- +2.39.5 + diff --git a/queue-6.6/ksmbd-fix-broken-transfers-when-exceeding-max-simult.patch b/queue-6.6/ksmbd-fix-broken-transfers-when-exceeding-max-simult.patch new file mode 100644 index 00000000000..cafbf1ff338 --- /dev/null +++ b/queue-6.6/ksmbd-fix-broken-transfers-when-exceeding-max-simult.patch @@ -0,0 +1,177 @@ +From 9cc3f8a0358ea99b8cbb409055dd7cb0e770b698 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Dec 2024 12:17:23 +0900 +Subject: ksmbd: fix broken transfers when exceeding max simultaneous + operations + +From: Marios Makassikis + +[ Upstream commit 43fb7bce8866e793275c4f9f25af6a37745f3416 ] + +Since commit 0a77d947f599 ("ksmbd: check outstanding simultaneous SMB +operations"), ksmbd enforces a maximum number of simultaneous operations +for a connection. The problem is that reaching the limit causes ksmbd to +close the socket, and the client has no indication that it should have +slowed down. + +This behaviour can be reproduced by setting "smb2 max credits = 128" (or +lower), and transferring a large file (25GB). + +smbclient fails as below: + + $ smbclient //192.168.1.254/testshare -U user%pass + smb: \> put file.bin + cli_push returned NT_STATUS_USER_SESSION_DELETED + putting file file.bin as \file.bin smb2cli_req_compound_submit: + Insufficient credits. 0 available, 1 needed + NT_STATUS_INTERNAL_ERROR closing remote file \file.bin + smb: \> smb2cli_req_compound_submit: Insufficient credits. 0 available, + 1 needed + +Windows clients fail with 0x8007003b (with smaller files even). + +Fix this by delaying reading from the socket until there's room to +allocate a request. This effectively applies backpressure on the client, +so the transfer completes, albeit at a slower rate. + +Fixes: 0a77d947f599 ("ksmbd: check outstanding simultaneous SMB operations") +Signed-off-by: Marios Makassikis +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/connection.c | 13 +++++++++++-- + fs/smb/server/connection.h | 1 - + fs/smb/server/server.c | 7 +------ + fs/smb/server/server.h | 1 + + fs/smb/server/transport_ipc.c | 5 ++++- + 5 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c +index 5ded9372b2fb..f3178570329a 100644 +--- a/fs/smb/server/connection.c ++++ b/fs/smb/server/connection.c +@@ -70,7 +70,6 @@ struct ksmbd_conn *ksmbd_conn_alloc(void) + atomic_set(&conn->req_running, 0); + atomic_set(&conn->r_count, 0); + atomic_set(&conn->refcnt, 1); +- atomic_set(&conn->mux_smb_requests, 0); + conn->total_credits = 1; + conn->outstanding_credits = 0; + +@@ -133,6 +132,8 @@ void ksmbd_conn_try_dequeue_request(struct ksmbd_work *work) + struct ksmbd_conn *conn = work->conn; + + atomic_dec(&conn->req_running); ++ if (waitqueue_active(&conn->req_running_q)) ++ wake_up(&conn->req_running_q); + + if (list_empty(&work->request_entry) && + list_empty(&work->async_request_entry)) +@@ -309,7 +310,7 @@ int ksmbd_conn_handler_loop(void *p) + { + struct ksmbd_conn *conn = (struct ksmbd_conn *)p; + struct ksmbd_transport *t = conn->transport; +- unsigned int pdu_size, max_allowed_pdu_size; ++ unsigned int pdu_size, max_allowed_pdu_size, max_req; + char hdr_buf[4] = {0,}; + int size; + +@@ -319,6 +320,7 @@ int ksmbd_conn_handler_loop(void *p) + if (t->ops->prepare && t->ops->prepare(t)) + goto out; + ++ max_req = server_conf.max_inflight_req; + conn->last_active = jiffies; + set_freezable(); + while (ksmbd_conn_alive(conn)) { +@@ -328,6 +330,13 @@ int ksmbd_conn_handler_loop(void *p) + kvfree(conn->request_buf); + conn->request_buf = NULL; + ++recheck: ++ if (atomic_read(&conn->req_running) + 1 > max_req) { ++ wait_event_interruptible(conn->req_running_q, ++ atomic_read(&conn->req_running) < max_req); ++ goto recheck; ++ } ++ + size = t->ops->read(t, hdr_buf, sizeof(hdr_buf), -1); + if (size != sizeof(hdr_buf)) + break; +diff --git a/fs/smb/server/connection.h b/fs/smb/server/connection.h +index 368295fb18a7..82343afc8d04 100644 +--- a/fs/smb/server/connection.h ++++ b/fs/smb/server/connection.h +@@ -107,7 +107,6 @@ struct ksmbd_conn { + __le16 signing_algorithm; + bool binding; + atomic_t refcnt; +- atomic_t mux_smb_requests; + }; + + struct ksmbd_conn_ops { +diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c +index 7f9aca4aa742..71e1c1db9dea 100644 +--- a/fs/smb/server/server.c ++++ b/fs/smb/server/server.c +@@ -270,7 +270,6 @@ static void handle_ksmbd_work(struct work_struct *wk) + + ksmbd_conn_try_dequeue_request(work); + ksmbd_free_work_struct(work); +- atomic_dec(&conn->mux_smb_requests); + /* + * Checking waitqueue to dropping pending requests on + * disconnection. waitqueue_active is safe because it +@@ -300,11 +299,6 @@ static int queue_ksmbd_work(struct ksmbd_conn *conn) + if (err) + return 0; + +- if (atomic_inc_return(&conn->mux_smb_requests) >= conn->vals->max_credits) { +- atomic_dec_return(&conn->mux_smb_requests); +- return -ENOSPC; +- } +- + work = ksmbd_alloc_work_struct(); + if (!work) { + pr_err("allocation for work failed\n"); +@@ -367,6 +361,7 @@ static int server_conf_init(void) + server_conf.auth_mechs |= KSMBD_AUTH_KRB5 | + KSMBD_AUTH_MSKRB5; + #endif ++ server_conf.max_inflight_req = SMB2_MAX_CREDITS; + return 0; + } + +diff --git a/fs/smb/server/server.h b/fs/smb/server/server.h +index db7278181760..4d06f2eb0d6a 100644 +--- a/fs/smb/server/server.h ++++ b/fs/smb/server/server.h +@@ -42,6 +42,7 @@ struct ksmbd_server_config { + struct smb_sid domain_sid; + unsigned int auth_mechs; + unsigned int max_connections; ++ unsigned int max_inflight_req; + + char *conf[SERVER_CONF_WORK_GROUP + 1]; + }; +diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c +index 8752ac82c557..c12b70d01880 100644 +--- a/fs/smb/server/transport_ipc.c ++++ b/fs/smb/server/transport_ipc.c +@@ -305,8 +305,11 @@ static int ipc_server_config_on_startup(struct ksmbd_startup_request *req) + init_smb2_max_write_size(req->smb2_max_write); + if (req->smb2_max_trans) + init_smb2_max_trans_size(req->smb2_max_trans); +- if (req->smb2_max_credits) ++ if (req->smb2_max_credits) { + init_smb2_max_credits(req->smb2_max_credits); ++ server_conf.max_inflight_req = ++ req->smb2_max_credits; ++ } + if (req->smbd_max_io_size) + init_smbd_max_io_size(req->smbd_max_io_size); + +-- +2.39.5 + diff --git a/queue-6.6/net-ethernet-bgmac-platform-fix-an-of-node-reference.patch b/queue-6.6/net-ethernet-bgmac-platform-fix-an-of-node-reference.patch new file mode 100644 index 00000000000..5af113bd408 --- /dev/null +++ b/queue-6.6/net-ethernet-bgmac-platform-fix-an-of-node-reference.patch @@ -0,0 +1,51 @@ +From d44e0d6d4722c38bd31939b8a46de51308133a60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Dec 2024 10:49:12 +0900 +Subject: net: ethernet: bgmac-platform: fix an OF node reference leak + +From: Joe Hattori + +[ Upstream commit 0cb2c504d79e7caa3abade3f466750c82ad26f01 ] + +The OF node obtained by of_parse_phandle() is not freed. Call +of_node_put() to balance the refcount. + +This bug was found by an experimental static analysis tool that I am +developing. + +Fixes: 1676aba5ef7e ("net: ethernet: bgmac: device tree phy enablement") +Signed-off-by: Joe Hattori +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241214014912.2810315-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bgmac-platform.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bgmac-platform.c b/drivers/net/ethernet/broadcom/bgmac-platform.c +index b4381cd41979..3f4e8bac40c1 100644 +--- a/drivers/net/ethernet/broadcom/bgmac-platform.c ++++ b/drivers/net/ethernet/broadcom/bgmac-platform.c +@@ -171,6 +171,7 @@ static int platform_phy_connect(struct bgmac *bgmac) + static int bgmac_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; ++ struct device_node *phy_node; + struct bgmac *bgmac; + struct resource *regs; + int ret; +@@ -236,7 +237,9 @@ static int bgmac_probe(struct platform_device *pdev) + bgmac->cco_ctl_maskset = platform_bgmac_cco_ctl_maskset; + bgmac->get_bus_clock = platform_bgmac_get_bus_clock; + bgmac->cmn_maskset32 = platform_bgmac_cmn_maskset32; +- if (of_parse_phandle(np, "phy-handle", 0)) { ++ phy_node = of_parse_phandle(np, "phy-handle", 0); ++ if (phy_node) { ++ of_node_put(phy_node); + bgmac->phy_connect = platform_phy_connect; + } else { + bgmac->phy_connect = bgmac_phy_connect_direct; +-- +2.39.5 + diff --git a/queue-6.6/net-hinic-fix-cleanup-in-create_rxqs-txqs.patch b/queue-6.6/net-hinic-fix-cleanup-in-create_rxqs-txqs.patch new file mode 100644 index 00000000000..b4d64227372 --- /dev/null +++ b/queue-6.6/net-hinic-fix-cleanup-in-create_rxqs-txqs.patch @@ -0,0 +1,54 @@ +From 4d6f5ce80ac00e28ddb8fde0a41c24ddbbfa490e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 17:28:11 +0300 +Subject: net: hinic: Fix cleanup in create_rxqs/txqs() + +From: Dan Carpenter + +[ Upstream commit 7203d10e93b6e6e1d19481ef7907de6a9133a467 ] + +There is a check for NULL at the start of create_txqs() and +create_rxqs() which tess if "nic_dev->txqs" is non-NULL. The +intention is that if the device is already open and the queues +are already created then we don't create them a second time. + +However, the bug is that if we have an error in the create_txqs() +then the pointer doesn't get set back to NULL. The NULL check +at the start of the function will say that it's already open when +it's not and the device can't be used. + +Set ->txqs back to NULL on cleanup on error. + +Fixes: c3e79baf1b03 ("net-next/hinic: Add logical Txq and Rxq") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/0cc98faf-a0ed-4565-a55b-0fa2734bc205@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/huawei/hinic/hinic_main.c b/drivers/net/ethernet/huawei/hinic/hinic_main.c +index 499c657d37a9..579c3dc0014c 100644 +--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c ++++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c +@@ -172,6 +172,7 @@ static int create_txqs(struct hinic_dev *nic_dev) + hinic_sq_dbgfs_uninit(nic_dev); + + devm_kfree(&netdev->dev, nic_dev->txqs); ++ nic_dev->txqs = NULL; + return err; + } + +@@ -268,6 +269,7 @@ static int create_rxqs(struct hinic_dev *nic_dev) + hinic_rq_dbgfs_uninit(nic_dev); + + devm_kfree(&netdev->dev, nic_dev->rxqs); ++ nic_dev->rxqs = NULL; + return err; + } + +-- +2.39.5 + diff --git a/queue-6.6/net-mdiobus-fix-an-of-node-reference-leak.patch b/queue-6.6/net-mdiobus-fix-an-of-node-reference-leak.patch new file mode 100644 index 00000000000..5472173d3ba --- /dev/null +++ b/queue-6.6/net-mdiobus-fix-an-of-node-reference-leak.patch @@ -0,0 +1,61 @@ +From 863e0b194a19f3c9b1f1faa87de904fe2063a689 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 12:51:06 +0900 +Subject: net: mdiobus: fix an OF node reference leak + +From: Joe Hattori + +[ Upstream commit 572af9f284669d31d9175122bbef9bc62cea8ded ] + +fwnode_find_mii_timestamper() calls of_parse_phandle_with_fixed_args() +but does not decrement the refcount of the obtained OF node. Add an +of_node_put() call before returning from the function. + +This bug was detected by an experimental static analysis tool that I am +developing. + +Fixes: bc1bee3b87ee ("net: mdiobus: Introduce fwnode_mdiobus_register_phy()") +Signed-off-by: Joe Hattori +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20241218035106.1436405-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/fwnode_mdio.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c +index 1183ef5e203e..c62f2e85414d 100644 +--- a/drivers/net/mdio/fwnode_mdio.c ++++ b/drivers/net/mdio/fwnode_mdio.c +@@ -38,6 +38,7 @@ fwnode_find_pse_control(struct fwnode_handle *fwnode) + static struct mii_timestamper * + fwnode_find_mii_timestamper(struct fwnode_handle *fwnode) + { ++ struct mii_timestamper *mii_ts; + struct of_phandle_args arg; + int err; + +@@ -51,10 +52,16 @@ fwnode_find_mii_timestamper(struct fwnode_handle *fwnode) + else if (err) + return ERR_PTR(err); + +- if (arg.args_count != 1) +- return ERR_PTR(-EINVAL); ++ if (arg.args_count != 1) { ++ mii_ts = ERR_PTR(-EINVAL); ++ goto put_node; ++ } ++ ++ mii_ts = register_mii_timestamper(arg.np, arg.args[0]); + +- return register_mii_timestamper(arg.np, arg.args[0]); ++put_node: ++ of_node_put(arg.np); ++ return mii_ts; + } + + int fwnode_mdiobus_phy_device_register(struct mii_bus *mdio, +-- +2.39.5 + diff --git a/queue-6.6/net-mscc-ocelot-fix-incorrect-ifh-src_port-field-in-.patch b/queue-6.6/net-mscc-ocelot-fix-incorrect-ifh-src_port-field-in-.patch new file mode 100644 index 00000000000..3720aafb5bc --- /dev/null +++ b/queue-6.6/net-mscc-ocelot-fix-incorrect-ifh-src_port-field-in-.patch @@ -0,0 +1,73 @@ +From 56f10df68bc57ae48c3edd22d04d5c7154266636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 18:55:45 +0200 +Subject: net: mscc: ocelot: fix incorrect IFH SRC_PORT field in + ocelot_ifh_set_basic() + +From: Vladimir Oltean + +[ Upstream commit 2d5df3a680ffdaf606baa10636bdb1daf757832e ] + +Packets injected by the CPU should have a SRC_PORT field equal to the +CPU port module index in the Analyzer block (ocelot->num_phys_ports). + +The blamed commit copied the ocelot_ifh_set_basic() call incorrectly +from ocelot_xmit_common() in net/dsa/tag_ocelot.c. Instead of calling +with "x", it calls with BIT_ULL(x), but the field is not a port mask, +but rather a single port index. + +[ side note: this is the technical debt of code duplication :( ] + +The error used to be silent and doesn't appear to have other +user-visible manifestations, but with new changes in the packing +library, it now fails loudly as follows: + +------------[ cut here ]------------ +Cannot store 0x40 inside bits 46-43 - will truncate +sja1105 spi2.0: xmit timed out +WARNING: CPU: 1 PID: 102 at lib/packing.c:98 __pack+0x90/0x198 +sja1105 spi2.0: timed out polling for tstamp +CPU: 1 UID: 0 PID: 102 Comm: felix_xmit +Tainted: G W N 6.13.0-rc1-00372-gf706b85d972d-dirty #2605 +Call trace: + __pack+0x90/0x198 (P) + __pack+0x90/0x198 (L) + packing+0x78/0x98 + ocelot_ifh_set_basic+0x260/0x368 + ocelot_port_inject_frame+0xa8/0x250 + felix_port_deferred_xmit+0x14c/0x258 + kthread_worker_fn+0x134/0x350 + kthread+0x114/0x138 + +The code path pertains to the ocelot switchdev driver and to the felix +secondary DSA tag protocol, ocelot-8021q. Here seen with ocelot-8021q. + +The messenger (packing) is not really to blame, so fix the original +commit instead. + +Fixes: e1b9e80236c5 ("net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q"") +Signed-off-by: Vladimir Oltean +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241212165546.879567-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index c2118bde908b..f6aa5d6b6597 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -1266,7 +1266,7 @@ void ocelot_ifh_set_basic(void *ifh, struct ocelot *ocelot, int port, + + memset(ifh, 0, OCELOT_TAG_LEN); + ocelot_ifh_set_bypass(ifh, 1); +- ocelot_ifh_set_src(ifh, BIT_ULL(ocelot->num_phys_ports)); ++ ocelot_ifh_set_src(ifh, ocelot->num_phys_ports); + ocelot_ifh_set_dest(ifh, BIT_ULL(port)); + ocelot_ifh_set_qos_class(ifh, qos_class); + ocelot_ifh_set_tag_type(ifh, tag_type); +-- +2.39.5 + diff --git a/queue-6.6/net-renesas-rswitch-rework-ts-tags-management.patch b/queue-6.6/net-renesas-rswitch-rework-ts-tags-management.patch new file mode 100644 index 00000000000..dbdf74825e8 --- /dev/null +++ b/queue-6.6/net-renesas-rswitch-rework-ts-tags-management.patch @@ -0,0 +1,229 @@ +From a862c45b7a2cc72824c3adee95872f87f46c4672 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 11:25:58 +0500 +Subject: net: renesas: rswitch: rework ts tags management + +From: Nikita Yushchenko + +[ Upstream commit 922b4b955a03d19fea98938f33ef0e62d01f5159 ] + +The existing linked list based implementation of how ts tags are +assigned and managed is unsafe against concurrency and corner cases: +- element addition in tx processing can race against element removal + in ts queue completion, +- element removal in ts queue completion can race against element + removal in device close, +- if a large number of frames gets added to tx queue without ts queue + completions in between, elements with duplicate tag values can get + added. + +Use a different implementation, based on per-port used tags bitmaps and +saved skb arrays. + +Safety for addition in tx processing vs removal in ts completion is +provided by: + + tag = find_first_zero_bit(...); + smp_mb(); + ts_skb[tag]> + set_bit(...); + + vs + + ts_skb[tag]> + smp_mb(); + clear_bit(...); + +Safety for removal in ts completion vs removal in device close is +provided by using atomic read-and-clear for rdev->ts_skb[tag]: + + ts_skb = xchg(&rdev->ts_skb[tag], NULL); + if (ts_skb) + + +Fixes: 33f5d733b589 ("net: renesas: rswitch: Improve TX timestamp accuracy") +Signed-off-by: Nikita Yushchenko +Link: https://patch.msgid.link/20241212062558.436455-1-nikita.yoush@cogentembedded.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 74 ++++++++++++++------------ + drivers/net/ethernet/renesas/rswitch.h | 13 ++--- + 2 files changed, 42 insertions(+), 45 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index 8abad9bb629e..54aa56c84133 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -546,7 +546,6 @@ static int rswitch_gwca_ts_queue_alloc(struct rswitch_private *priv) + desc = &gq->ts_ring[gq->ring_size]; + desc->desc.die_dt = DT_LINKFIX; + rswitch_desc_set_dptr(&desc->desc, gq->ring_dma); +- INIT_LIST_HEAD(&priv->gwca.ts_info_list); + + return 0; + } +@@ -934,9 +933,10 @@ static int rswitch_gwca_request_irqs(struct rswitch_private *priv) + static void rswitch_ts(struct rswitch_private *priv) + { + struct rswitch_gwca_queue *gq = &priv->gwca.ts_queue; +- struct rswitch_gwca_ts_info *ts_info, *ts_info2; + struct skb_shared_hwtstamps shhwtstamps; + struct rswitch_ts_desc *desc; ++ struct rswitch_device *rdev; ++ struct sk_buff *ts_skb; + struct timespec64 ts; + unsigned int num; + u32 tag, port; +@@ -946,23 +946,28 @@ static void rswitch_ts(struct rswitch_private *priv) + dma_rmb(); + + port = TS_DESC_DPN(__le32_to_cpu(desc->desc.dptrl)); +- tag = TS_DESC_TSUN(__le32_to_cpu(desc->desc.dptrl)); +- +- list_for_each_entry_safe(ts_info, ts_info2, &priv->gwca.ts_info_list, list) { +- if (!(ts_info->port == port && ts_info->tag == tag)) +- continue; +- +- memset(&shhwtstamps, 0, sizeof(shhwtstamps)); +- ts.tv_sec = __le32_to_cpu(desc->ts_sec); +- ts.tv_nsec = __le32_to_cpu(desc->ts_nsec & cpu_to_le32(0x3fffffff)); +- shhwtstamps.hwtstamp = timespec64_to_ktime(ts); +- skb_tstamp_tx(ts_info->skb, &shhwtstamps); +- dev_consume_skb_irq(ts_info->skb); +- list_del(&ts_info->list); +- kfree(ts_info); +- break; +- } ++ if (unlikely(port >= RSWITCH_NUM_PORTS)) ++ goto next; ++ rdev = priv->rdev[port]; + ++ tag = TS_DESC_TSUN(__le32_to_cpu(desc->desc.dptrl)); ++ if (unlikely(tag >= TS_TAGS_PER_PORT)) ++ goto next; ++ ts_skb = xchg(&rdev->ts_skb[tag], NULL); ++ smp_mb(); /* order rdev->ts_skb[] read before bitmap update */ ++ clear_bit(tag, rdev->ts_skb_used); ++ ++ if (unlikely(!ts_skb)) ++ goto next; ++ ++ memset(&shhwtstamps, 0, sizeof(shhwtstamps)); ++ ts.tv_sec = __le32_to_cpu(desc->ts_sec); ++ ts.tv_nsec = __le32_to_cpu(desc->ts_nsec & cpu_to_le32(0x3fffffff)); ++ shhwtstamps.hwtstamp = timespec64_to_ktime(ts); ++ skb_tstamp_tx(ts_skb, &shhwtstamps); ++ dev_consume_skb_irq(ts_skb); ++ ++next: + gq->cur = rswitch_next_queue_index(gq, true, 1); + desc = &gq->ts_ring[gq->cur]; + } +@@ -1505,8 +1510,9 @@ static int rswitch_open(struct net_device *ndev) + static int rswitch_stop(struct net_device *ndev) + { + struct rswitch_device *rdev = netdev_priv(ndev); +- struct rswitch_gwca_ts_info *ts_info, *ts_info2; ++ struct sk_buff *ts_skb; + unsigned long flags; ++ unsigned int tag; + + netif_tx_stop_all_queues(ndev); + +@@ -1523,12 +1529,13 @@ static int rswitch_stop(struct net_device *ndev) + if (bitmap_empty(rdev->priv->opened_ports, RSWITCH_NUM_PORTS)) + iowrite32(GWCA_TS_IRQ_BIT, rdev->priv->addr + GWTSDID); + +- list_for_each_entry_safe(ts_info, ts_info2, &rdev->priv->gwca.ts_info_list, list) { +- if (ts_info->port != rdev->port) +- continue; +- dev_kfree_skb_irq(ts_info->skb); +- list_del(&ts_info->list); +- kfree(ts_info); ++ for (tag = find_first_bit(rdev->ts_skb_used, TS_TAGS_PER_PORT); ++ tag < TS_TAGS_PER_PORT; ++ tag = find_next_bit(rdev->ts_skb_used, TS_TAGS_PER_PORT, tag + 1)) { ++ ts_skb = xchg(&rdev->ts_skb[tag], NULL); ++ clear_bit(tag, rdev->ts_skb_used); ++ if (ts_skb) ++ dev_kfree_skb(ts_skb); + } + + return 0; +@@ -1541,20 +1548,17 @@ static bool rswitch_ext_desc_set_info1(struct rswitch_device *rdev, + desc->info1 = cpu_to_le64(INFO1_DV(BIT(rdev->etha->index)) | + INFO1_IPV(GWCA_IPV_NUM) | INFO1_FMT); + if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) { +- struct rswitch_gwca_ts_info *ts_info; ++ unsigned int tag; + +- ts_info = kzalloc(sizeof(*ts_info), GFP_ATOMIC); +- if (!ts_info) ++ tag = find_first_zero_bit(rdev->ts_skb_used, TS_TAGS_PER_PORT); ++ if (tag == TS_TAGS_PER_PORT) + return false; ++ smp_mb(); /* order bitmap read before rdev->ts_skb[] write */ ++ rdev->ts_skb[tag] = skb_get(skb); ++ set_bit(tag, rdev->ts_skb_used); + + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; +- rdev->ts_tag++; +- desc->info1 |= cpu_to_le64(INFO1_TSUN(rdev->ts_tag) | INFO1_TXC); +- +- ts_info->skb = skb_get(skb); +- ts_info->port = rdev->port; +- ts_info->tag = rdev->ts_tag; +- list_add_tail(&ts_info->list, &rdev->priv->gwca.ts_info_list); ++ desc->info1 |= cpu_to_le64(INFO1_TSUN(tag) | INFO1_TXC); + + skb_tx_timestamp(skb); + } +diff --git a/drivers/net/ethernet/renesas/rswitch.h b/drivers/net/ethernet/renesas/rswitch.h +index f2d1cd47187d..0c93ef16b43e 100644 +--- a/drivers/net/ethernet/renesas/rswitch.h ++++ b/drivers/net/ethernet/renesas/rswitch.h +@@ -965,14 +965,6 @@ struct rswitch_gwca_queue { + }; + }; + +-struct rswitch_gwca_ts_info { +- struct sk_buff *skb; +- struct list_head list; +- +- int port; +- u8 tag; +-}; +- + #define RSWITCH_NUM_IRQ_REGS (RSWITCH_MAX_NUM_QUEUES / BITS_PER_TYPE(u32)) + struct rswitch_gwca { + unsigned int index; +@@ -982,7 +974,6 @@ struct rswitch_gwca { + struct rswitch_gwca_queue *queues; + int num_queues; + struct rswitch_gwca_queue ts_queue; +- struct list_head ts_info_list; + DECLARE_BITMAP(used, RSWITCH_MAX_NUM_QUEUES); + u32 tx_irq_bits[RSWITCH_NUM_IRQ_REGS]; + u32 rx_irq_bits[RSWITCH_NUM_IRQ_REGS]; +@@ -990,6 +981,7 @@ struct rswitch_gwca { + }; + + #define NUM_QUEUES_PER_NDEV 2 ++#define TS_TAGS_PER_PORT 256 + struct rswitch_device { + struct rswitch_private *priv; + struct net_device *ndev; +@@ -997,7 +989,8 @@ struct rswitch_device { + void __iomem *addr; + struct rswitch_gwca_queue *tx_queue; + struct rswitch_gwca_queue *rx_queue; +- u8 ts_tag; ++ struct sk_buff *ts_skb[TS_TAGS_PER_PORT]; ++ DECLARE_BITMAP(ts_skb_used, TS_TAGS_PER_PORT); + bool disabled; + + int port; +-- +2.39.5 + diff --git a/queue-6.6/net-smc-check-iparea_offset-and-ipv6_prefixes_cnt-wh.patch b/queue-6.6/net-smc-check-iparea_offset-and-ipv6_prefixes_cnt-wh.patch new file mode 100644 index 00000000000..1fb0f8bed12 --- /dev/null +++ b/queue-6.6/net-smc-check-iparea_offset-and-ipv6_prefixes_cnt-wh.patch @@ -0,0 +1,90 @@ +From 35d11bd513ed2958819a1217612b0eeac094f259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:18 +0800 +Subject: net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving + proposal msg + +From: Guangguan Wang + +[ Upstream commit a29e220d3c8edbf0e1beb0f028878a4a85966556 ] + +When receiving proposal msg in server, the field iparea_offset +and the field ipv6_prefixes_cnt in proposal msg are from the +remote client and can not be fully trusted. Especially the +field iparea_offset, once exceed the max value, there has the +chance to access wrong address, and crash may happen. + +This patch checks iparea_offset and ipv6_prefixes_cnt before using them. + +Fixes: e7b7a64a8493 ("smc: support variable CLC proposal messages") +Signed-off-by: Guangguan Wang +Reviewed-by: Wen Gu +Reviewed-by: D. Wythe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 6 +++++- + net/smc/smc_clc.c | 4 ++++ + net/smc/smc_clc.h | 6 +++++- + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 06d607e676f6..8551e097ad33 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -2039,6 +2039,8 @@ static int smc_listen_prfx_check(struct smc_sock *new_smc, + if (pclc->hdr.typev1 == SMC_TYPE_N) + return 0; + pclc_prfx = smc_clc_proposal_get_prefix(pclc); ++ if (!pclc_prfx) ++ return -EPROTO; + if (smc_clc_prfx_match(newclcsock, pclc_prfx)) + return SMC_CLC_DECL_DIFFPREFIX; + +@@ -2228,7 +2230,9 @@ static void smc_find_ism_v1_device_serv(struct smc_sock *new_smc, + int rc = 0; + + /* check if ISM V1 is available */ +- if (!(ini->smcd_version & SMC_V1) || !smcd_indicated(ini->smc_type_v1)) ++ if (!(ini->smcd_version & SMC_V1) || ++ !smcd_indicated(ini->smc_type_v1) || ++ !pclc_smcd) + goto not_found; + ini->is_smcd = true; /* prepare ISM check */ + ini->ism_peer_gid[0].gid = ntohll(pclc_smcd->ism.gid); +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index 0084960a203d..b8fd64392209 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -354,6 +354,10 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc) + + v2_ext = smc_get_clc_v2_ext(pclc); + pclc_prfx = smc_clc_proposal_get_prefix(pclc); ++ if (!pclc_prfx || ++ pclc_prfx->ipv6_prefixes_cnt > SMC_CLC_MAX_V6_PREFIX) ++ return false; ++ + if (hdr->version == SMC_V1) { + if (hdr->typev1 == SMC_TYPE_N) + return false; +diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h +index c8d6282ec9c0..eb843907c9d0 100644 +--- a/net/smc/smc_clc.h ++++ b/net/smc/smc_clc.h +@@ -320,8 +320,12 @@ struct smc_clc_msg_decline_v2 { /* clc decline message */ + static inline struct smc_clc_msg_proposal_prefix * + smc_clc_proposal_get_prefix(struct smc_clc_msg_proposal *pclc) + { ++ u16 offset = ntohs(pclc->iparea_offset); ++ ++ if (offset > sizeof(struct smc_clc_msg_smcd)) ++ return NULL; + return (struct smc_clc_msg_proposal_prefix *) +- ((u8 *)pclc + sizeof(*pclc) + ntohs(pclc->iparea_offset)); ++ ((u8 *)pclc + sizeof(*pclc) + offset); + } + + static inline bool smcr_indicated(int smc_type) +-- +2.39.5 + diff --git a/queue-6.6/net-smc-check-return-value-of-sock_recvmsg-when-drai.patch b/queue-6.6/net-smc-check-return-value-of-sock_recvmsg-when-drai.patch new file mode 100644 index 00000000000..b8ac065b638 --- /dev/null +++ b/queue-6.6/net-smc-check-return-value-of-sock_recvmsg-when-drai.patch @@ -0,0 +1,47 @@ +From e9310434a0352640d340542254b733d6be3135c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:21 +0800 +Subject: net/smc: check return value of sock_recvmsg when draining clc data + +From: Guangguan Wang + +[ Upstream commit c5b8ee5022a19464783058dc6042e8eefa34e8cd ] + +When receiving clc msg, the field length in smc_clc_msg_hdr indicates the +length of msg should be received from network and the value should not be +fully trusted as it is from the network. Once the value of length exceeds +the value of buflen in function smc_clc_wait_msg it may run into deadloop +when trying to drain the remaining data exceeding buflen. + +This patch checks the return value of sock_recvmsg when draining data in +case of deadloop in draining. + +Fixes: fb4f79264c0f ("net/smc: tolerate future SMCD versions") +Signed-off-by: Guangguan Wang +Reviewed-by: Wen Gu +Reviewed-by: D. Wythe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_clc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index 286d6b19a1f1..dbce904c03cf 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -773,6 +773,11 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, + SMC_CLC_RECV_BUF_LEN : datlen; + iov_iter_kvec(&msg.msg_iter, ITER_DEST, &vec, 1, recvlen); + len = sock_recvmsg(smc->clcsock, &msg, krflags); ++ if (len < recvlen) { ++ smc->sk.sk_err = EPROTO; ++ reason_code = -EPROTO; ++ goto out; ++ } + datlen -= len; + } + if (clcm->type == SMC_CLC_DECLINE) { +-- +2.39.5 + diff --git a/queue-6.6/net-smc-check-smcd_v2_ext_offset-when-receiving-prop.patch b/queue-6.6/net-smc-check-smcd_v2_ext_offset-when-receiving-prop.patch new file mode 100644 index 00000000000..8e63501b5b5 --- /dev/null +++ b/queue-6.6/net-smc-check-smcd_v2_ext_offset-when-receiving-prop.patch @@ -0,0 +1,64 @@ +From 060aed4b87242f6d1cadd25ff3500d77853a7ddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:20 +0800 +Subject: net/smc: check smcd_v2_ext_offset when receiving proposal msg + +From: Guangguan Wang + +[ Upstream commit 9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad ] + +When receiving proposal msg in server, the field smcd_v2_ext_offset in +proposal msg is from the remote client and can not be fully trusted. +Once the value of smcd_v2_ext_offset exceed the max value, there has +the chance to access wrong address, and crash may happen. + +This patch checks the value of smcd_v2_ext_offset before using it. + +Fixes: 5c21c4ccafe8 ("net/smc: determine accepted ISM devices") +Signed-off-by: Guangguan Wang +Reviewed-by: Wen Gu +Reviewed-by: D. Wythe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 2 ++ + net/smc/smc_clc.h | 8 +++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 079ca4f1077d..0acf07538840 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -2154,6 +2154,8 @@ static void smc_find_ism_v2_device_serv(struct smc_sock *new_smc, + pclc_smcd = smc_get_clc_msg_smcd(pclc); + smc_v2_ext = smc_get_clc_v2_ext(pclc); + smcd_v2_ext = smc_get_clc_smcd_v2_ext(smc_v2_ext); ++ if (!pclc_smcd || !smc_v2_ext || !smcd_v2_ext) ++ goto not_found; + + mutex_lock(&smcd_dev_list.mutex); + if (pclc_smcd->ism.chid) { +diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h +index a3706300e04f..6e24d44de4a7 100644 +--- a/net/smc/smc_clc.h ++++ b/net/smc/smc_clc.h +@@ -384,9 +384,15 @@ smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop) + static inline struct smc_clc_smcd_v2_extension * + smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext) + { ++ u16 max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_smcd_v2_ext) - ++ offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) - ++ offsetof(struct smc_clc_v2_extension, hdr) - ++ offsetofend(struct smc_clnt_opts_area_hdr, smcd_v2_ext_offset); ++ + if (!prop_v2ext) + return NULL; +- if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset)) ++ if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) || ++ ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) > max_offset) + return NULL; + + return (struct smc_clc_smcd_v2_extension *) +-- +2.39.5 + diff --git a/queue-6.6/net-smc-check-sndbuf_space-again-after-nospace-flag-.patch b/queue-6.6/net-smc-check-sndbuf_space-again-after-nospace-flag-.patch new file mode 100644 index 00000000000..388b167c54f --- /dev/null +++ b/queue-6.6/net-smc-check-sndbuf_space-again-after-nospace-flag-.patch @@ -0,0 +1,63 @@ +From 1af083e47de7d30b292ac8788c1061b425c10f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:17 +0800 +Subject: net/smc: check sndbuf_space again after NOSPACE flag is set in + smc_poll + +From: Guangguan Wang + +[ Upstream commit 679e9ddcf90dbdf98aaaa71a492454654b627bcb ] + +When application sending data more than sndbuf_space, there have chances +application will sleep in epoll_wait, and will never be wakeup again. This +is caused by a race between smc_poll and smc_cdc_tx_handler. + +application tasklet +smc_tx_sendmsg(len > sndbuf_space) | +epoll_wait for EPOLL_OUT,timeout=0 | + smc_poll | + if (!smc->conn.sndbuf_space) | + | smc_cdc_tx_handler + | atomic_add sndbuf_space + | smc_tx_sndbuf_nonfull + | if (!test_bit SOCK_NOSPACE) + | do not sk_write_space; + set_bit SOCK_NOSPACE; | + return mask=0; | + +Application will sleep in epoll_wait as smc_poll returns 0. And +smc_cdc_tx_handler will not call sk_write_space because the SOCK_NOSPACE +has not be set. If there is no inflight cdc msg, sk_write_space will not be +called any more, and application will sleep in epoll_wait forever. +So check sndbuf_space again after NOSPACE flag is set to break the race. + +Fixes: 8dce2786a290 ("net/smc: smc_poll improvements") +Signed-off-by: Guangguan Wang +Suggested-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 77c6c0dff069..06d607e676f6 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -2888,6 +2888,13 @@ static __poll_t smc_poll(struct file *file, struct socket *sock, + } else { + sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk); + set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); ++ ++ if (sk->sk_state != SMC_INIT) { ++ /* Race breaker the same way as tcp_poll(). */ ++ smp_mb__after_atomic(); ++ if (atomic_read(&smc->conn.sndbuf_space)) ++ mask |= EPOLLOUT | EPOLLWRNORM; ++ } + } + if (atomic_read(&smc->conn.bytes_to_rcv)) + mask |= EPOLLIN | EPOLLRDNORM; +-- +2.39.5 + diff --git a/queue-6.6/net-smc-check-v2_ext_offset-eid_cnt-ism_gid_cnt-when.patch b/queue-6.6/net-smc-check-v2_ext_offset-eid_cnt-ism_gid_cnt-when.patch new file mode 100644 index 00000000000..55d8a0c9b17 --- /dev/null +++ b/queue-6.6/net-smc-check-v2_ext_offset-eid_cnt-ism_gid_cnt-when.patch @@ -0,0 +1,94 @@ +From 049816157874ef17ad4a5a13dbd40dea66cea9ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:19 +0800 +Subject: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving + proposal msg + +From: Guangguan Wang + +[ Upstream commit 7863c9f3d24ba49dbead7e03dfbe40deb5888fdf ] + +When receiving proposal msg in server, the fields v2_ext_offset/ +eid_cnt/ism_gid_cnt in proposal msg are from the remote client +and can not be fully trusted. Especially the field v2_ext_offset, +once exceed the max value, there has the chance to access wrong +address, and crash may happen. + +This patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt +before using them. + +Fixes: 8c3dca341aea ("net/smc: build and send V2 CLC proposal") +Signed-off-by: Guangguan Wang +Reviewed-by: Wen Gu +Reviewed-by: D. Wythe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 3 ++- + net/smc/smc_clc.c | 8 +++++++- + net/smc/smc_clc.h | 8 +++++++- + 3 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 8551e097ad33..079ca4f1077d 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -2283,7 +2283,8 @@ static void smc_find_rdma_v2_device_serv(struct smc_sock *new_smc, + goto not_found; + + smc_v2_ext = smc_get_clc_v2_ext(pclc); +- if (!smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL)) ++ if (!smc_v2_ext || ++ !smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL)) + goto not_found; + + /* prepare RDMA check */ +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index b8fd64392209..286d6b19a1f1 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -352,7 +352,6 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc) + struct smc_clc_msg_hdr *hdr = &pclc->hdr; + struct smc_clc_v2_extension *v2_ext; + +- v2_ext = smc_get_clc_v2_ext(pclc); + pclc_prfx = smc_clc_proposal_get_prefix(pclc); + if (!pclc_prfx || + pclc_prfx->ipv6_prefixes_cnt > SMC_CLC_MAX_V6_PREFIX) +@@ -369,6 +368,13 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc) + sizeof(struct smc_clc_msg_trail)) + return false; + } else { ++ v2_ext = smc_get_clc_v2_ext(pclc); ++ if ((hdr->typev2 != SMC_TYPE_N && ++ (!v2_ext || v2_ext->hdr.eid_cnt > SMC_CLC_MAX_UEID)) || ++ (smcd_indicated(hdr->typev2) && ++ v2_ext->hdr.ism_gid_cnt > SMCD_CLC_MAX_V2_GID_ENTRIES)) ++ return false; ++ + if (ntohs(hdr->length) != + sizeof(*pclc) + + sizeof(struct smc_clc_msg_smcd) + +diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h +index eb843907c9d0..a3706300e04f 100644 +--- a/net/smc/smc_clc.h ++++ b/net/smc/smc_clc.h +@@ -364,8 +364,14 @@ static inline struct smc_clc_v2_extension * + smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop) + { + struct smc_clc_msg_smcd *prop_smcd = smc_get_clc_msg_smcd(prop); ++ u16 max_offset; + +- if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset)) ++ max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) - ++ offsetof(struct smc_clc_msg_proposal_area, pclc_smcd) - ++ offsetofend(struct smc_clc_msg_smcd, v2_ext_offset); ++ ++ if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset) || ++ ntohs(prop_smcd->v2_ext_offset) > max_offset) + return NULL; + + return (struct smc_clc_v2_extension *) +-- +2.39.5 + diff --git a/queue-6.6/net-smc-protect-link-down-work-from-execute-after-lg.patch b/queue-6.6/net-smc-protect-link-down-work-from-execute-after-lg.patch new file mode 100644 index 00000000000..2006e89e8ee --- /dev/null +++ b/queue-6.6/net-smc-protect-link-down-work-from-execute-after-lg.patch @@ -0,0 +1,89 @@ +From 3c970c7c5ec9bfecaa629d93f03706798656b9f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:16 +0800 +Subject: net/smc: protect link down work from execute after lgr freed + +From: Guangguan Wang + +[ Upstream commit 2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec ] + +link down work may be scheduled before lgr freed but execute +after lgr freed, which may result in crash. So it is need to +hold a reference before shedule link down work, and put the +reference after work executed or canceled. + +The relevant crash call stack as follows: + list_del corruption. prev->next should be ffffb638c9c0fe20, + but was 0000000000000000 + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:51! + invalid opcode: 0000 [#1] SMP NOPTI + CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1 + Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014 + Workqueue: events smc_link_down_work [smc] + RIP: 0010:__list_del_entry_valid.cold+0x31/0x47 + RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086 + RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000 + RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80 + RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38 + R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002 + R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0 + FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + rwsem_down_write_slowpath+0x17e/0x470 + smc_link_down_work+0x3c/0x60 [smc] + process_one_work+0x1ac/0x350 + worker_thread+0x49/0x2f0 + ? rescuer_thread+0x360/0x360 + kthread+0x118/0x140 + ? __kthread_bind_mask+0x60/0x60 + ret_from_fork+0x1f/0x30 + +Fixes: 541afa10c126 ("net/smc: add smcr_port_err() and smcr_link_down() processing") +Signed-off-by: Guangguan Wang +Reviewed-by: Tony Lu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c +index 3d5c542cd231..3c626c014d1d 100644 +--- a/net/smc/smc_core.c ++++ b/net/smc/smc_core.c +@@ -1767,7 +1767,9 @@ void smcr_link_down_cond_sched(struct smc_link *lnk) + { + if (smc_link_downing(&lnk->state)) { + trace_smcr_link_down(lnk, __builtin_return_address(0)); +- schedule_work(&lnk->link_down_wrk); ++ smcr_link_hold(lnk); /* smcr_link_put in link_down_wrk */ ++ if (!schedule_work(&lnk->link_down_wrk)) ++ smcr_link_put(lnk); + } + } + +@@ -1799,11 +1801,14 @@ static void smc_link_down_work(struct work_struct *work) + struct smc_link_group *lgr = link->lgr; + + if (list_empty(&lgr->list)) +- return; ++ goto out; + wake_up_all(&lgr->llc_msg_waiter); + down_write(&lgr->llc_conf_mutex); + smcr_link_down(link); + up_write(&lgr->llc_conf_mutex); ++ ++out: ++ smcr_link_put(link); /* smcr_link_hold by schedulers of link_down_work */ + } + + static int smc_vlan_by_tcpsk_walk(struct net_device *lower_dev, +-- +2.39.5 + diff --git a/queue-6.6/netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch b/queue-6.6/netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch new file mode 100644 index 00000000000..d90538127ba --- /dev/null +++ b/queue-6.6/netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch @@ -0,0 +1,40 @@ +From ad4c455ee5d1346928091ad2de0ab6314aced84c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 17:25:18 +0000 +Subject: netdevsim: prevent bad user input in nsim_dev_health_break_write() + +From: Eric Dumazet + +[ Upstream commit ee76746387f6233bdfa93d7406990f923641568f ] + +If either a zero count or a large one is provided, kernel can crash. + +Fixes: 82c93a87bf8b ("netdevsim: implement couple of testing devlink health reporters") +Reported-by: syzbot+ea40e4294e58b0292f74@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/675c6862.050a0220.37aaf.00b1.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Jiri Pirko +Reviewed-by: Joe Damato +Link: https://patch.msgid.link/20241213172518.2415666-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/health.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/netdevsim/health.c b/drivers/net/netdevsim/health.c +index eb04ed715d2d..c63427b71898 100644 +--- a/drivers/net/netdevsim/health.c ++++ b/drivers/net/netdevsim/health.c +@@ -203,6 +203,8 @@ static ssize_t nsim_dev_health_break_write(struct file *file, + char *break_msg; + int err; + ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; + break_msg = memdup_user_nul(data, count); + if (IS_ERR(break_msg)) + return PTR_ERR(break_msg); +-- +2.39.5 + diff --git a/queue-6.6/netfilter-ipset-fix-for-recursive-locking-warning.patch b/queue-6.6/netfilter-ipset-fix-for-recursive-locking-warning.patch new file mode 100644 index 00000000000..0cd699e7590 --- /dev/null +++ b/queue-6.6/netfilter-ipset-fix-for-recursive-locking-warning.patch @@ -0,0 +1,62 @@ +From 5dd878ba0d5fcab33a7d3cc1754eb6f0f6ddb303 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 20:56:55 +0100 +Subject: netfilter: ipset: Fix for recursive locking warning + +From: Phil Sutter + +[ Upstream commit 70b6f46a4ed8bd56c85ffff22df91e20e8c85e33 ] + +With CONFIG_PROVE_LOCKING, when creating a set of type bitmap:ip, adding +it to a set of type list:set and populating it from iptables SET target +triggers a kernel warning: + +| WARNING: possible recursive locking detected +| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted +| -------------------------------------------- +| ping/4018 is trying to acquire lock: +| ffff8881094a6848 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set] +| +| but task is already holding lock: +| ffff88811034c048 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set] + +This is a false alarm: ipset does not allow nested list:set type, so the +loop in list_set_kadd() can never encounter the outer set itself. No +other set type supports embedded sets, so this is the only case to +consider. + +To avoid the false report, create a distinct lock class for list:set +type ipset locks. + +Fixes: f830837f0eed ("netfilter: ipset: list:set set type support") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_list_set.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c +index bfae7066936b..db794fe1300e 100644 +--- a/net/netfilter/ipset/ip_set_list_set.c ++++ b/net/netfilter/ipset/ip_set_list_set.c +@@ -611,6 +611,8 @@ init_list_set(struct net *net, struct ip_set *set, u32 size) + return true; + } + ++static struct lock_class_key list_set_lockdep_key; ++ + static int + list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + u32 flags) +@@ -627,6 +629,7 @@ list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + if (size < IP_SET_LIST_MIN_SIZE) + size = IP_SET_LIST_MIN_SIZE; + ++ lockdep_set_class(&set->lock, &list_set_lockdep_key); + set->variant = &set_variant; + set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem), + __alignof__(struct set_elem)); +-- +2.39.5 + diff --git a/queue-6.6/selftests-openvswitch-fix-tcpdump-execution.patch b/queue-6.6/selftests-openvswitch-fix-tcpdump-execution.patch new file mode 100644 index 00000000000..2e43f2d3446 --- /dev/null +++ b/queue-6.6/selftests-openvswitch-fix-tcpdump-execution.patch @@ -0,0 +1,48 @@ +From 3f2e6f07b9c9c31ccdf0ad2e0242b87010ffb2b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 22:16:51 +0100 +Subject: selftests: openvswitch: fix tcpdump execution + +From: Adrian Moreno + +[ Upstream commit a17975992cc11588767175247ccaae1213a8b582 ] + +Fix the way tcpdump is executed by: +- Using the right variable for the namespace. Currently the use of the + empty "ns" makes the command fail. +- Waiting until it starts to capture to ensure the interesting traffic + is caught on slow systems. +- Using line-buffered output to ensure logs are available when the test + is paused with "-p". Otherwise the last chunk of data might only be + written when tcpdump is killed. + +Fixes: 74cc26f416b9 ("selftests: openvswitch: add interface support") +Signed-off-by: Adrian Moreno +Acked-by: Eelco Chaudron +Link: https://patch.msgid.link/20241217211652.483016-1-amorenoz@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/openvswitch/openvswitch.sh | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/openvswitch/openvswitch.sh b/tools/testing/selftests/net/openvswitch/openvswitch.sh +index bab7436c6834..a0f4764ad0af 100755 +--- a/tools/testing/selftests/net/openvswitch/openvswitch.sh ++++ b/tools/testing/selftests/net/openvswitch/openvswitch.sh +@@ -128,8 +128,10 @@ ovs_add_netns_and_veths () { + ovs_add_if "$1" "$2" "$4" -u || return 1 + fi + +- [ $TRACING -eq 1 ] && ovs_netns_spawn_daemon "$1" "$ns" \ +- tcpdump -i any -s 65535 ++ if [ $TRACING -eq 1 ]; then ++ ovs_netns_spawn_daemon "$1" "$3" tcpdump -l -i any -s 6553 ++ ovs_wait grep -q "listening on any" ${ovs_dir}/stderr ++ fi + + return 0 + } +-- +2.39.5 + diff --git a/queue-6.6/series b/queue-6.6/series index 06752a16da3..dd3a83a69fe 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -33,3 +33,25 @@ xfs-fix-the-owner-setting-issue-for-rmap-query-in-xf.patch xfs-use-xfs_buf_daddr_null-for-daddrs-in-getfsmap-co.patch xfs-take-m_growlock-when-running-growfsrt.patch xfs-reset-rootdir-extent-size-hint-after-growfsrt.patch +tools-hv-change-permissions-of-networkmanager-config.patch +cxl-pci-fix-potential-bogus-return-value-upon-succes.patch +cxl-region-fix-region-creation-for-greater-than-x2-s.patch +net-smc-protect-link-down-work-from-execute-after-lg.patch +net-smc-check-sndbuf_space-again-after-nospace-flag-.patch +net-smc-check-iparea_offset-and-ipv6_prefixes_cnt-wh.patch +net-smc-check-v2_ext_offset-eid_cnt-ism_gid_cnt-when.patch +net-smc-check-smcd_v2_ext_offset-when-receiving-prop.patch +net-smc-check-return-value-of-sock_recvmsg-when-drai.patch +net-mscc-ocelot-fix-incorrect-ifh-src_port-field-in-.patch +netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch +ionic-fix-netdev-notifier-unregister-on-failure.patch +ionic-use-ee-offset-when-returning-sprom-data.patch +net-renesas-rswitch-rework-ts-tags-management.patch +ksmbd-count-all-requests-in-req_running-counter.patch +ksmbd-fix-broken-transfers-when-exceeding-max-simult.patch +net-hinic-fix-cleanup-in-create_rxqs-txqs.patch +net-ethernet-bgmac-platform-fix-an-of-node-reference.patch +ipvs-fix-clamp-of-ip_vs_conn_tab-on-small-memory-sys.patch +netfilter-ipset-fix-for-recursive-locking-warning.patch +selftests-openvswitch-fix-tcpdump-execution.patch +net-mdiobus-fix-an-of-node-reference-leak.patch diff --git a/queue-6.6/tools-hv-change-permissions-of-networkmanager-config.patch b/queue-6.6/tools-hv-change-permissions-of-networkmanager-config.patch new file mode 100644 index 00000000000..6d91b4bdc81 --- /dev/null +++ b/queue-6.6/tools-hv-change-permissions-of-networkmanager-config.patch @@ -0,0 +1,40 @@ +From d7d1c3155ea6dbffb6b43a0544362647a510960f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 16:35:10 +0200 +Subject: tools: hv: change permissions of NetworkManager configuration file + +From: Olaf Hering + +[ Upstream commit 91ae69c7ed9e262f24240c425ad1eef2cf6639b7 ] + +Align permissions of the resulting .nmconnection file, instead of +the input file from hv_kvp_daemon. To avoid the tiny time frame +where the output file is world-readable, use umask instead of chmod. + +Fixes: 42999c904612 ("hv/hv_kvp_daemon:Support for keyfile based connection profile") +Signed-off-by: Olaf Hering +Reviewed-by: Shradha Gupta +Link: https://lore.kernel.org/r/20241016143521.3735-1-olaf@aepfle.de +Signed-off-by: Wei Liu +Message-ID: <20241016143521.3735-1-olaf@aepfle.de> +Signed-off-by: Sasha Levin +--- + tools/hv/hv_set_ifconfig.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/hv/hv_set_ifconfig.sh b/tools/hv/hv_set_ifconfig.sh +index 440a91b35823..2f8baed2b8f7 100755 +--- a/tools/hv/hv_set_ifconfig.sh ++++ b/tools/hv/hv_set_ifconfig.sh +@@ -81,7 +81,7 @@ echo "ONBOOT=yes" >> $1 + + cp $1 /etc/sysconfig/network-scripts/ + +-chmod 600 $2 ++umask 0177 + interface=$(echo $2 | awk -F - '{ print $2 }') + filename="${2##*/}" + +-- +2.39.5 + -- 2.47.2