From c74848cc2a4b4f7466737a50d34dfaef472004ef Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 25 Dec 2021 16:31:48 -0500 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...x6qdl-wandboard-fix-ethernet-support.patch | 46 ++ ...nner-orangepi-zero-plus-fix-phy-mode.patch | 44 ++ ...x-fix-uninit-value-in-asix_mdio_read.patch | 47 ++ ...eturn-value-in-asix_check_host_enabl.patch | 60 +++ ...ifo-add-missing-dma_coerce_mask_and_.patch | 49 ++ ...ctor_system-option-setting-to-defaul.patch | 65 +++ queue-5.15/bus-sunxi-rsb-fix-shutdown.patch | 48 ++ ...vers-net-smc911x-check-for-error-irq.patch | 40 ++ ...i-perform-null-pointer-check-for-mtk.patch | 62 +++ queue-5.15/fjes-check-for-error-irq.patch | 41 ++ queue-5.15/gpio-virtio-remove-timeout.patch | 44 ++ ...ory-leak-in-qib_user_sdma_queue_pkts.patch | 42 ++ ...-instead-of-rx_buf-for-xsk-zero-copy.patch | 223 +++++++++ ...sk-buffers-back-to-pool-when-cleanin.patch | 58 +++ ...-caused-by-taking-rtnl-in-rpm-resume.patch | 102 ++++ ...ly-convert-sk-sk_rx_dst-to-rcu-rules.patch | 441 ++++++++++++++++++ ...ro-iocb-ki_pos-for-stream-file-types.patch | 51 ++ ...n-uninstall-ipmi_si-and-ipmi_msghand.patch | 143 ++++++ ...sk-sk-rx_dst_cookie-to-sk-sk_rx_dst_.patch | 112 +++++ ...v6-packages-in-virtio_net_hdr_to_skb.patch | 75 +++ ...ioctl-old_deviceless-bridge-argument.patch | 57 +++ ...se-array_size-helper-in-copy_to_user.patch | 57 +++ .../net-ks8851-check-for-error-irq.patch | 37 ++ ...tera-fix-incorrect-return-of-port_fi.patch | 64 +++ ...stera-fix-incorrect-structure-access.patch | 113 +++++ ...net_hdr_set_proto-if-protocol-alread.patch | 46 ++ ...-visconti-fix-value-of-ether_clk_sel.patch | 38 ++ ...ix-potentially-overflowing-expressio.patch | 37 ++ ...gression-in-looped-broad-multi-cast-.patch | 69 +++ ...les-fix-use-after-free-in-nft_set_ca.patch | 241 ++++++++++ ...-dereference-null-pointer-of-rx_queu.patch | 103 ++++ ...force-speed-doesn-t-work-for-rtl8156.patch | 65 +++ ...x-rnr-retransmission-issue-for-hip08.patch | 198 ++++++++ .../rdma-hns-replace-kfree-with-kvfree.patch | 39 ++ queue-5.15/series | 40 ++ ...k-null-pointer-of-rx_queue-page_ring.patch | 42 ++ ...k-null-pointer-of-rx_queue-page_ring.patch | 42 ++ ...k_disable_unprepare-to-clk_unprepare.patch | 39 ++ ..._dst_ifindex-to-sk-sk_rx_dst_ifindex.patch | 129 +++++ .../ucounts-fix-rlimit-max-values-check.patch | 122 +++++ ...sure-skb-entering-gro-are-not-cloned.patch | 101 ++++ 41 files changed, 3472 insertions(+) create mode 100644 queue-5.15/arm-dts-imx6qdl-wandboard-fix-ethernet-support.patch create mode 100644 queue-5.15/arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch create mode 100644 queue-5.15/asix-fix-uninit-value-in-asix_mdio_read.patch create mode 100644 queue-5.15/asix-fix-wrong-return-value-in-asix_check_host_enabl.patch create mode 100644 queue-5.15/asoc-meson-aiu-fifo-add-missing-dma_coerce_mask_and_.patch create mode 100644 queue-5.15/bonding-fix-ad_actor_system-option-setting-to-defaul.patch create mode 100644 queue-5.15/bus-sunxi-rsb-fix-shutdown.patch create mode 100644 queue-5.15/drivers-net-smc911x-check-for-error-irq.patch create mode 100644 queue-5.15/drm-mediatek-hdmi-perform-null-pointer-check-for-mtk.patch create mode 100644 queue-5.15/fjes-check-for-error-irq.patch create mode 100644 queue-5.15/gpio-virtio-remove-timeout.patch create mode 100644 queue-5.15/ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch create mode 100644 queue-5.15/ice-use-xdp_buf-instead-of-rx_buf-for-xsk-zero-copy.patch create mode 100644 queue-5.15/ice-xsk-return-xsk-buffers-back-to-pool-when-cleanin.patch create mode 100644 queue-5.15/igb-fix-deadlock-caused-by-taking-rtnl-in-rpm-resume.patch create mode 100644 queue-5.15/inet-fully-convert-sk-sk_rx_dst-to-rcu-rules.patch create mode 100644 queue-5.15/io_uring-zero-iocb-ki_pos-for-stream-file-types.patch create mode 100644 queue-5.15/ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch create mode 100644 queue-5.15/ipv6-move-inet6_sk-sk-rx_dst_cookie-to-sk-sk_rx_dst_.patch create mode 100644 queue-5.15/net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch create mode 100644 queue-5.15/net-bridge-fix-ioctl-old_deviceless-bridge-argument.patch create mode 100644 queue-5.15/net-bridge-use-array_size-helper-in-copy_to_user.patch create mode 100644 queue-5.15/net-ks8851-check-for-error-irq.patch create mode 100644 queue-5.15/net-marvell-prestera-fix-incorrect-return-of-port_fi.patch create mode 100644 queue-5.15/net-marvell-prestera-fix-incorrect-structure-access.patch create mode 100644 queue-5.15/net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch create mode 100644 queue-5.15/net-stmmac-dwmac-visconti-fix-value-of-ether_clk_sel.patch create mode 100644 queue-5.15/net-stmmac-ptp-fix-potentially-overflowing-expressio.patch create mode 100644 queue-5.15/netfilter-fix-regression-in-looped-broad-multi-cast-.patch create mode 100644 queue-5.15/netfilter-nf_tables-fix-use-after-free-in-nft_set_ca.patch create mode 100644 queue-5.15/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch create mode 100644 queue-5.15/r8152-fix-the-force-speed-doesn-t-work-for-rtl8156.patch create mode 100644 queue-5.15/rdma-hns-fix-rnr-retransmission-issue-for-hip08.patch create mode 100644 queue-5.15/rdma-hns-replace-kfree-with-kvfree.patch create mode 100644 queue-5.15/sfc-check-null-pointer-of-rx_queue-page_ring.patch create mode 100644 queue-5.15/sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch create mode 100644 queue-5.15/spi-change-clk_disable_unprepare-to-clk_unprepare.patch create mode 100644 queue-5.15/tcp-move-inet-rx_dst_ifindex-to-sk-sk_rx_dst_ifindex.patch create mode 100644 queue-5.15/ucounts-fix-rlimit-max-values-check.patch create mode 100644 queue-5.15/veth-ensure-skb-entering-gro-are-not-cloned.patch diff --git a/queue-5.15/arm-dts-imx6qdl-wandboard-fix-ethernet-support.patch b/queue-5.15/arm-dts-imx6qdl-wandboard-fix-ethernet-support.patch new file mode 100644 index 00000000000..dde59a76b2a --- /dev/null +++ b/queue-5.15/arm-dts-imx6qdl-wandboard-fix-ethernet-support.patch @@ -0,0 +1,46 @@ +From 042663f2c8cd04db966beb4915bfc811595ca009 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Dec 2021 09:30:30 -0300 +Subject: ARM: dts: imx6qdl-wandboard: Fix Ethernet support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Haaß + +[ Upstream commit 39e660687ac0c57499134765abbecf71cfd11eae ] + +Currently, the imx6q-wandboard Ethernet does not transmit any +data. + +This issue has been exposed by commit f5d9aa79dfdf ("ARM: imx6q: +remove clk-out fixup for the Atheros AR8031 and AR8035 PHYs"). + +Fix it by describing the qca,clk-out-frequency property as suggested +by the commit above. + +Fixes: 77591e42458d ("ARM: dts: imx6qdl-wandboard: add ethernet PHY description") +Signed-off-by: Martin Haaß +Tested-by: Fabio Estevam +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi +index b62a0dbb033ff..ec6fba5ee8fde 100644 +--- a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi +@@ -309,6 +309,7 @@ + + ethphy: ethernet-phy@1 { + reg = <1>; ++ qca,clk-out-frequency = <125000000>; + }; + }; + }; +-- +2.34.1 + diff --git a/queue-5.15/arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch b/queue-5.15/arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch new file mode 100644 index 00000000000..eaf7cb46983 --- /dev/null +++ b/queue-5.15/arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch @@ -0,0 +1,44 @@ +From de45063c5183e755018ccc951dcb4e819eb417a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 15:02:22 +0100 +Subject: arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode + +From: Robert Marko + +[ Upstream commit 08d2061ff9c5319a07bf9ca6bbf11fdec68f704a ] + +Orange Pi Zero Plus uses a Realtek RTL8211E RGMII Gigabit PHY, but its +currently set to plain RGMII mode meaning that it doesn't introduce +delays. + +With this setup, TX packets are completely lost and changing the mode to +RGMII-ID so the PHY will add delays internally fixes the issue. + +Fixes: a7affb13b271 ("arm64: allwinner: H5: Add Xunlong Orange Pi Zero Plus") +Acked-by: Chen-Yu Tsai +Tested-by: Ron Goossens +Tested-by: Samuel Holland +Signed-off-by: Robert Marko +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20211117140222.43692-1-robert.marko@sartura.hr +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts +index d13980ed7a79a..7ec5ac850a0dc 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts ++++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts +@@ -69,7 +69,7 @@ + pinctrl-0 = <&emac_rgmii_pins>; + phy-supply = <®_gmac_3v3>; + phy-handle = <&ext_rgmii_phy>; +- phy-mode = "rgmii"; ++ phy-mode = "rgmii-id"; + status = "okay"; + }; + +-- +2.34.1 + diff --git a/queue-5.15/asix-fix-uninit-value-in-asix_mdio_read.patch b/queue-5.15/asix-fix-uninit-value-in-asix_mdio_read.patch new file mode 100644 index 00000000000..5640f6f3a07 --- /dev/null +++ b/queue-5.15/asix-fix-uninit-value-in-asix_mdio_read.patch @@ -0,0 +1,47 @@ +From e391dbd2f946f77c14795384fed00dd5869b3dfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Dec 2021 23:10:36 +0300 +Subject: asix: fix uninit-value in asix_mdio_read() + +From: Pavel Skripkin + +[ Upstream commit 8035b1a2a37a29d8c717ef84fca8fe7278bc9f03 ] + +asix_read_cmd() may read less than sizeof(smsr) bytes and in this case +smsr will be uninitialized. + +Fail log: +BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] +BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 +BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 + asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] + asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 + asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 + +Fixes: d9fe64e51114 ("net: asix: Add in_pm parameter") +Reported-and-tested-by: syzbot+f44badb06036334e867a@syzkaller.appspotmail.com +Reviewed-by: Andrew Lunn +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/8966e3b514edf39857dd93603fc79ec02e000a75.1640117288.git.paskripkin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 38cda590895cc..b80c2dcfc9084 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -77,7 +77,7 @@ static int asix_check_host_enable(struct usbnet *dev, int in_pm) + 0, 0, 1, &smsr, in_pm); + if (ret == -ENODEV) + break; +- else if (ret < 0) ++ else if (ret < sizeof(smsr)) + continue; + else if (smsr & AX_HOST_EN) + break; +-- +2.34.1 + diff --git a/queue-5.15/asix-fix-wrong-return-value-in-asix_check_host_enabl.patch b/queue-5.15/asix-fix-wrong-return-value-in-asix_check_host_enabl.patch new file mode 100644 index 00000000000..d23b62b4958 --- /dev/null +++ b/queue-5.15/asix-fix-wrong-return-value-in-asix_check_host_enabl.patch @@ -0,0 +1,60 @@ +From ac5e338ed2ca507697676d716ed191925ac3df89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Dec 2021 23:10:43 +0300 +Subject: asix: fix wrong return value in asix_check_host_enable() + +From: Pavel Skripkin + +[ Upstream commit d1652b70d07cc3eed96210c876c4879e1655f20e ] + +If asix_read_cmd() returns 0 on 30th interation, 0 will be returned from +asix_check_host_enable(), which is logically wrong. Fix it by returning +-ETIMEDOUT explicitly if we have exceeded 30 iterations + +Also, replaced 30 with #define as suggested by Andrew + +Fixes: a786e3195d6a ("net: asix: fix uninit value bugs") +Reported-by: Andrew Lunn +Signed-off-by: Pavel Skripkin +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/ecd3470ce6c2d5697ac635d0d3b14a47defb4acb.1640117288.git.paskripkin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_common.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index b80c2dcfc9084..9aa92076500af 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -9,6 +9,8 @@ + + #include "asix.h" + ++#define AX_HOST_EN_RETRIES 30 ++ + int asix_read_cmd(struct usbnet *dev, u8 cmd, u16 value, u16 index, + u16 size, void *data, int in_pm) + { +@@ -68,7 +70,7 @@ static int asix_check_host_enable(struct usbnet *dev, int in_pm) + int i, ret; + u8 smsr; + +- for (i = 0; i < 30; ++i) { ++ for (i = 0; i < AX_HOST_EN_RETRIES; ++i) { + ret = asix_set_sw_mii(dev, in_pm); + if (ret == -ENODEV || ret == -ETIMEDOUT) + break; +@@ -83,7 +85,7 @@ static int asix_check_host_enable(struct usbnet *dev, int in_pm) + break; + } + +- return ret; ++ return i >= AX_HOST_EN_RETRIES ? -ETIMEDOUT : ret; + } + + static void reset_asix_rx_fixup_info(struct asix_rx_fixup_info *rx) +-- +2.34.1 + diff --git a/queue-5.15/asoc-meson-aiu-fifo-add-missing-dma_coerce_mask_and_.patch b/queue-5.15/asoc-meson-aiu-fifo-add-missing-dma_coerce_mask_and_.patch new file mode 100644 index 00000000000..0d8eefa5d61 --- /dev/null +++ b/queue-5.15/asoc-meson-aiu-fifo-add-missing-dma_coerce_mask_and_.patch @@ -0,0 +1,49 @@ +From 679cfe6e44cbf6bb3d4a91eb124e40e4318c54ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 22:08:03 +0100 +Subject: ASoC: meson: aiu: fifo: Add missing dma_coerce_mask_and_coherent() + +From: Martin Blumenstingl + +[ Upstream commit 1bcd326631dc4faa3322d60b4fc45e8b3747993e ] + +The FIFO registers which take an DMA-able address are only 32-bit wide +on AIU. Add dma_coerce_mask_and_coherent() to make the DMA core aware of +this limitation. + +Fixes: 6ae9ca9ce986bf ("ASoC: meson: aiu: add i2s and spdif support") +Signed-off-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20211206210804.2512999-2-martin.blumenstingl@googlemail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/aiu-fifo.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/soc/meson/aiu-fifo.c b/sound/soc/meson/aiu-fifo.c +index 4ad23267cace5..d67ff4cdabd5a 100644 +--- a/sound/soc/meson/aiu-fifo.c ++++ b/sound/soc/meson/aiu-fifo.c +@@ -5,6 +5,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -179,6 +180,11 @@ int aiu_fifo_pcm_new(struct snd_soc_pcm_runtime *rtd, + struct snd_card *card = rtd->card->snd_card; + struct aiu_fifo *fifo = dai->playback_dma_data; + size_t size = fifo->pcm->buffer_bytes_max; ++ int ret; ++ ++ ret = dma_coerce_mask_and_coherent(card->dev, DMA_BIT_MASK(32)); ++ if (ret) ++ return ret; + + snd_pcm_set_managed_buffer_all(rtd->pcm, SNDRV_DMA_TYPE_DEV, + card->dev, size, size); +-- +2.34.1 + diff --git a/queue-5.15/bonding-fix-ad_actor_system-option-setting-to-defaul.patch b/queue-5.15/bonding-fix-ad_actor_system-option-setting-to-defaul.patch new file mode 100644 index 00000000000..05d453b66b9 --- /dev/null +++ b/queue-5.15/bonding-fix-ad_actor_system-option-setting-to-defaul.patch @@ -0,0 +1,65 @@ +From 2ceeb885e0fbeea131836c95c4d33d492e7e6bd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Dec 2021 12:13:45 +0100 +Subject: bonding: fix ad_actor_system option setting to default + +From: Fernando Fernandez Mancera + +[ Upstream commit 1c15b05baea71a5ff98235783e3e4ad227760876 ] + +When 802.3ad bond mode is configured the ad_actor_system option is set to +"00:00:00:00:00:00". But when trying to set the all-zeroes MAC as actors' +system address it was failing with EINVAL. + +An all-zeroes ethernet address is valid, only multicast addresses are not +valid values. + +Fixes: 171a42c38c6e ("bonding: add netlink support for sys prio, actor sys mac, and port key") +Signed-off-by: Fernando Fernandez Mancera +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20211221111345.2462-1-ffmancera@riseup.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/networking/bonding.rst | 11 ++++++----- + drivers/net/bonding/bond_options.c | 2 +- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/Documentation/networking/bonding.rst b/Documentation/networking/bonding.rst +index 31cfd7d674a6c..c0a789b008063 100644 +--- a/Documentation/networking/bonding.rst ++++ b/Documentation/networking/bonding.rst +@@ -196,11 +196,12 @@ ad_actor_sys_prio + ad_actor_system + + In an AD system, this specifies the mac-address for the actor in +- protocol packet exchanges (LACPDUs). The value cannot be NULL or +- multicast. It is preferred to have the local-admin bit set for this +- mac but driver does not enforce it. If the value is not given then +- system defaults to using the masters' mac address as actors' system +- address. ++ protocol packet exchanges (LACPDUs). The value cannot be a multicast ++ address. If the all-zeroes MAC is specified, bonding will internally ++ use the MAC of the bond itself. It is preferred to have the ++ local-admin bit set for this mac but driver does not enforce it. If ++ the value is not given then system defaults to using the masters' ++ mac address as actors' system address. + + This parameter has effect only in 802.3ad mode and is available through + SysFs interface. +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index a8fde3bc458f6..b93337b5a7211 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1526,7 +1526,7 @@ static int bond_option_ad_actor_system_set(struct bonding *bond, + mac = (u8 *)&newval->value; + } + +- if (!is_valid_ether_addr(mac)) ++ if (is_multicast_ether_addr(mac)) + goto err; + + netdev_dbg(bond->dev, "Setting ad_actor_system to %pM\n", mac); +-- +2.34.1 + diff --git a/queue-5.15/bus-sunxi-rsb-fix-shutdown.patch b/queue-5.15/bus-sunxi-rsb-fix-shutdown.patch new file mode 100644 index 00000000000..537bbc60ab5 --- /dev/null +++ b/queue-5.15/bus-sunxi-rsb-fix-shutdown.patch @@ -0,0 +1,48 @@ +From 414938c06a53fb28dc0d91c2996431ceca8f730c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Nov 2021 09:35:37 +0100 +Subject: bus: sunxi-rsb: Fix shutdown + +From: Jernej Skrabec + +[ Upstream commit 017a716e7b0e9d4ac06a4d7779bd04fca009bbc9 ] + +Function sunxi_rsb_hw_exit() is sometimes called with pm runtime +disabled, so in such cases pm_runtime_resume() will fail with -EACCES. + +Instead of doing whole dance of enabling pm runtime and thus clock just +to disable it again immediately, just check if disabling clock is +needed. That way calling pm_runtime_resume() is not needed at all. + +Fixes: 4a0dbc12e618 ("bus: sunxi-rsb: Implement runtime power management") +Signed-off-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20211121083537.612473-1-jernej.skrabec@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index 6f225dddc74f4..4566e730ef2b8 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -687,11 +687,11 @@ err_clk_disable: + + static void sunxi_rsb_hw_exit(struct sunxi_rsb *rsb) + { +- /* Keep the clock and PM reference counts consistent. */ +- if (pm_runtime_status_suspended(rsb->dev)) +- pm_runtime_resume(rsb->dev); + reset_control_assert(rsb->rstc); +- clk_disable_unprepare(rsb->clk); ++ ++ /* Keep the clock and PM reference counts consistent. */ ++ if (!pm_runtime_status_suspended(rsb->dev)) ++ clk_disable_unprepare(rsb->clk); + } + + static int __maybe_unused sunxi_rsb_runtime_suspend(struct device *dev) +-- +2.34.1 + diff --git a/queue-5.15/drivers-net-smc911x-check-for-error-irq.patch b/queue-5.15/drivers-net-smc911x-check-for-error-irq.patch new file mode 100644 index 00000000000..48cb1e04fcf --- /dev/null +++ b/queue-5.15/drivers-net-smc911x-check-for-error-irq.patch @@ -0,0 +1,40 @@ +From d24755a56c3e7b6179384fc1e58518e334def743 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 15:41:12 +0800 +Subject: drivers: net: smc911x: Check for error irq + +From: Jiasheng Jiang + +[ Upstream commit cb93b3e11d405f20a405a07482d01147ef4934a3 ] + +Because platform_get_irq() could fail and return error irq. +Therefore, it might be better to check it if order to avoid the use of +error irq. + +Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/smsc/smc911x.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/smsc/smc911x.c b/drivers/net/ethernet/smsc/smc911x.c +index b008b4e8a2a5a..0641a1d392b86 100644 +--- a/drivers/net/ethernet/smsc/smc911x.c ++++ b/drivers/net/ethernet/smsc/smc911x.c +@@ -2070,6 +2070,11 @@ static int smc911x_drv_probe(struct platform_device *pdev) + + ndev->dma = (unsigned char)-1; + ndev->irq = platform_get_irq(pdev, 0); ++ if (ndev->irq < 0) { ++ ret = ndev->irq; ++ goto release_both; ++ } ++ + lp = netdev_priv(ndev); + lp->netdev = ndev; + #ifdef SMC_DYNAMIC_BUS_CONFIG +-- +2.34.1 + diff --git a/queue-5.15/drm-mediatek-hdmi-perform-null-pointer-check-for-mtk.patch b/queue-5.15/drm-mediatek-hdmi-perform-null-pointer-check-for-mtk.patch new file mode 100644 index 00000000000..63f909e8e11 --- /dev/null +++ b/queue-5.15/drm-mediatek-hdmi-perform-null-pointer-check-for-mtk.patch @@ -0,0 +1,62 @@ +From a7c7c0746b8a97d4903118ad6990fd04d4c58175 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 09:43:11 +0200 +Subject: drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf + +From: AngeloGioacchino Del Regno + +[ Upstream commit 3b8e19a0aa3933a785be9f1541afd8d398c4ec69 ] + +In commit 41ca9caaae0b +("drm/mediatek: hdmi: Add check for CEA modes only") a check +for CEA modes was added to function mtk_hdmi_bridge_mode_valid() +in order to address possible issues on MT8167; +moreover, with commit c91026a938c2 +("drm/mediatek: hdmi: Add optional limit on maximal HDMI mode clock") +another similar check was introduced. + +Unfortunately though, at the time of writing, MT8173 does not provide +any mtk_hdmi_conf structure and this is crashing the kernel with NULL +pointer upon entering mtk_hdmi_bridge_mode_valid(), which happens as +soon as a HDMI cable gets plugged in. + +To fix this regression, add a NULL pointer check for hdmi->conf in the +said function, restoring HDMI functionality and avoiding NULL pointer +kernel panics. + +Fixes: 41ca9caaae0b ("drm/mediatek: hdmi: Add check for CEA modes only") +Fixes: c91026a938c2 ("drm/mediatek: hdmi: Add optional limit on maximal HDMI mode clock") +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_hdmi.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c +index 5838c44cbf6f0..3196189429bcf 100644 +--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c ++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c +@@ -1224,12 +1224,14 @@ static int mtk_hdmi_bridge_mode_valid(struct drm_bridge *bridge, + return MODE_BAD; + } + +- if (hdmi->conf->cea_modes_only && !drm_match_cea_mode(mode)) +- return MODE_BAD; ++ if (hdmi->conf) { ++ if (hdmi->conf->cea_modes_only && !drm_match_cea_mode(mode)) ++ return MODE_BAD; + +- if (hdmi->conf->max_mode_clock && +- mode->clock > hdmi->conf->max_mode_clock) +- return MODE_CLOCK_HIGH; ++ if (hdmi->conf->max_mode_clock && ++ mode->clock > hdmi->conf->max_mode_clock) ++ return MODE_CLOCK_HIGH; ++ } + + if (mode->clock < 27000) + return MODE_CLOCK_LOW; +-- +2.34.1 + diff --git a/queue-5.15/fjes-check-for-error-irq.patch b/queue-5.15/fjes-check-for-error-irq.patch new file mode 100644 index 00000000000..a427d16b43b --- /dev/null +++ b/queue-5.15/fjes-check-for-error-irq.patch @@ -0,0 +1,41 @@ +From f8f75ae10cffbfa6fb1d31db4ca1292abf2ac667 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 15:12:07 +0800 +Subject: fjes: Check for error irq + +From: Jiasheng Jiang + +[ Upstream commit db6d6afe382de5a65d6ccf51253ab48b8e8336c3 ] + +I find that platform_get_irq() will not always succeed. +It will return error irq in case of the failure. +Therefore, it might be better to check it if order to avoid the use of +error irq. + +Fixes: 658d439b2292 ("fjes: Introduce FUJITSU Extended Socket Network Device driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/fjes/fjes_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c +index 185c8a3986816..1d1808afd5295 100644 +--- a/drivers/net/fjes/fjes_main.c ++++ b/drivers/net/fjes/fjes_main.c +@@ -1261,6 +1261,11 @@ static int fjes_probe(struct platform_device *plat_dev) + hw->hw_res.start = res->start; + hw->hw_res.size = resource_size(res); + hw->hw_res.irq = platform_get_irq(plat_dev, 0); ++ if (hw->hw_res.irq < 0) { ++ err = hw->hw_res.irq; ++ goto err_free_control_wq; ++ } ++ + err = fjes_hw_init(&adapter->hw); + if (err) + goto err_free_control_wq; +-- +2.34.1 + diff --git a/queue-5.15/gpio-virtio-remove-timeout.patch b/queue-5.15/gpio-virtio-remove-timeout.patch new file mode 100644 index 00000000000..fc01608b35e --- /dev/null +++ b/queue-5.15/gpio-virtio-remove-timeout.patch @@ -0,0 +1,44 @@ +From a9e954c6891f7c19e21d739bc7c5466368143cc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 14:06:56 +0100 +Subject: gpio: virtio: remove timeout + +From: Vincent Whitchurch + +[ Upstream commit 3e4d9a485029aa9e172dab5420abe775fd86f8e8 ] + +The driver imposes an arbitrary one second timeout on virtio requests, +but the specification doesn't prevent the virtio device from taking +longer to process requests, so remove this timeout to support all +systems and device implementations. + +Fixes: 3a29355a22c0275fe86 ("gpio: Add virtio-gpio driver") +Signed-off-by: Vincent Whitchurch +Acked-by: Michael S. Tsirkin +Acked-by: Viresh Kumar +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-virtio.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/gpio/gpio-virtio.c b/drivers/gpio/gpio-virtio.c +index d24f1c9264bc9..dd3b23c9580b1 100644 +--- a/drivers/gpio/gpio-virtio.c ++++ b/drivers/gpio/gpio-virtio.c +@@ -81,11 +81,7 @@ static int _virtio_gpio_req(struct virtio_gpio *vgpio, u16 type, u16 gpio, + virtqueue_kick(vgpio->request_vq); + mutex_unlock(&vgpio->lock); + +- if (!wait_for_completion_timeout(&line->completion, HZ)) { +- dev_err(dev, "GPIO operation timed out\n"); +- ret = -ETIMEDOUT; +- goto out; +- } ++ wait_for_completion(&line->completion); + + if (unlikely(res->status != VIRTIO_GPIO_STATUS_OK)) { + dev_err(dev, "GPIO request failed: %d\n", gpio); +-- +2.34.1 + diff --git a/queue-5.15/ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch b/queue-5.15/ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch new file mode 100644 index 00000000000..79b090486a2 --- /dev/null +++ b/queue-5.15/ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch @@ -0,0 +1,42 @@ +From 4d9a6b2c6082d6ab03dcd3d7c2a48fc12b96cdb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 18:52:38 +0100 +Subject: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit bee90911e0138c76ee67458ac0d58b38a3190f65 ] + +The wrong goto label was used for the error case and missed cleanup of the +pkt allocation. + +Fixes: d39bf40e55e6 ("IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields") +Link: https://lore.kernel.org/r/20211208175238.29983-1-jose.exposito89@gmail.com +Addresses-Coverity-ID: 1493352 ("Resource leak") +Signed-off-by: José Expósito +Acked-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qib/qib_user_sdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c +index ac11943a5ddb0..bf2f30d67949d 100644 +--- a/drivers/infiniband/hw/qib/qib_user_sdma.c ++++ b/drivers/infiniband/hw/qib/qib_user_sdma.c +@@ -941,7 +941,7 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, + &addrlimit) || + addrlimit > type_max(typeof(pkt->addrlimit))) { + ret = -EINVAL; +- goto free_pbc; ++ goto free_pkt; + } + pkt->addrlimit = addrlimit; + +-- +2.34.1 + diff --git a/queue-5.15/ice-use-xdp_buf-instead-of-rx_buf-for-xsk-zero-copy.patch b/queue-5.15/ice-use-xdp_buf-instead-of-rx_buf-for-xsk-zero-copy.patch new file mode 100644 index 00000000000..e53aa5e6cd8 --- /dev/null +++ b/queue-5.15/ice-use-xdp_buf-instead-of-rx_buf-for-xsk-zero-copy.patch @@ -0,0 +1,223 @@ +From 0a75dab1348000c3d48ebc10eeb95c7299d5fe39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 09:56:03 +0200 +Subject: ice: Use xdp_buf instead of rx_buf for xsk zero-copy + +From: Magnus Karlsson + +[ Upstream commit 57f7f8b6bc0bc80d94443f94fe5f21f266499a2b ] + +In order to use the new xsk batched buffer allocation interface, a +pointer to an array of struct xsk_buff pointers need to be provided so +that the function can put the result of the allocation there. In the +ice driver, we already have a ring that stores pointers to +xdp_buffs. This is only used for the xsk zero-copy driver and is a +union with the structure that is used for the regular non zero-copy +path. Unfortunately, that structure is larger than the xdp_buffs +pointers which mean that there will be a stride (of 20 bytes) between +each xdp_buff pointer. And feeding this into the xsk_buff_alloc_batch +interface will not work since it assumes a regular array of xdp_buff +pointers (each 8 bytes with 0 bytes in-between them on a 64-bit +system). + +To fix this, remove the xdp_buff pointer from the rx_buf union and +move it one step higher to the union above which only has pointers to +arrays in it. This solves the problem and we can directly feed the SW +ring of xdp_buff pointers straight into the allocation function in the +next patch when that interface is used. This will improve performance. + +Signed-off-by: Magnus Karlsson +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20210922075613.12186-4-magnus.karlsson@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_txrx.h | 16 ++----- + drivers/net/ethernet/intel/ice/ice_xsk.c | 56 +++++++++++------------ + 2 files changed, 33 insertions(+), 39 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.h b/drivers/net/ethernet/intel/ice/ice_txrx.h +index 1e46e80f3d6f8..7c2328529ff8e 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.h ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.h +@@ -164,17 +164,10 @@ struct ice_tx_offload_params { + }; + + struct ice_rx_buf { +- union { +- struct { +- dma_addr_t dma; +- struct page *page; +- unsigned int page_offset; +- u16 pagecnt_bias; +- }; +- struct { +- struct xdp_buff *xdp; +- }; +- }; ++ dma_addr_t dma; ++ struct page *page; ++ unsigned int page_offset; ++ u16 pagecnt_bias; + }; + + struct ice_q_stats { +@@ -270,6 +263,7 @@ struct ice_ring { + union { + struct ice_tx_buf *tx_buf; + struct ice_rx_buf *rx_buf; ++ struct xdp_buff **xdp_buf; + }; + /* CL2 - 2nd cacheline starts here */ + u16 q_index; /* Queue number of ring */ +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index 5a9f61deeb38d..f4ab5259a56cc 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -364,7 +364,7 @@ bool ice_alloc_rx_bufs_zc(struct ice_ring *rx_ring, u16 count) + { + union ice_32b_rx_flex_desc *rx_desc; + u16 ntu = rx_ring->next_to_use; +- struct ice_rx_buf *rx_buf; ++ struct xdp_buff **xdp; + bool ok = true; + dma_addr_t dma; + +@@ -372,26 +372,26 @@ bool ice_alloc_rx_bufs_zc(struct ice_ring *rx_ring, u16 count) + return true; + + rx_desc = ICE_RX_DESC(rx_ring, ntu); +- rx_buf = &rx_ring->rx_buf[ntu]; ++ xdp = &rx_ring->xdp_buf[ntu]; + + do { +- rx_buf->xdp = xsk_buff_alloc(rx_ring->xsk_pool); +- if (!rx_buf->xdp) { ++ *xdp = xsk_buff_alloc(rx_ring->xsk_pool); ++ if (!xdp) { + ok = false; + break; + } + +- dma = xsk_buff_xdp_get_dma(rx_buf->xdp); ++ dma = xsk_buff_xdp_get_dma(*xdp); + rx_desc->read.pkt_addr = cpu_to_le64(dma); + rx_desc->wb.status_error0 = 0; + + rx_desc++; +- rx_buf++; ++ xdp++; + ntu++; + + if (unlikely(ntu == rx_ring->count)) { + rx_desc = ICE_RX_DESC(rx_ring, 0); +- rx_buf = rx_ring->rx_buf; ++ xdp = rx_ring->xdp_buf; + ntu = 0; + } + } while (--count); +@@ -421,19 +421,19 @@ static void ice_bump_ntc(struct ice_ring *rx_ring) + /** + * ice_construct_skb_zc - Create an sk_buff from zero-copy buffer + * @rx_ring: Rx ring +- * @rx_buf: zero-copy Rx buffer ++ * @xdp_arr: Pointer to the SW ring of xdp_buff pointers + * + * This function allocates a new skb from a zero-copy Rx buffer. + * + * Returns the skb on success, NULL on failure. + */ + static struct sk_buff * +-ice_construct_skb_zc(struct ice_ring *rx_ring, struct ice_rx_buf *rx_buf) ++ice_construct_skb_zc(struct ice_ring *rx_ring, struct xdp_buff **xdp_arr) + { +- unsigned int metasize = rx_buf->xdp->data - rx_buf->xdp->data_meta; +- unsigned int datasize = rx_buf->xdp->data_end - rx_buf->xdp->data; +- unsigned int datasize_hard = rx_buf->xdp->data_end - +- rx_buf->xdp->data_hard_start; ++ struct xdp_buff *xdp = *xdp_arr; ++ unsigned int metasize = xdp->data - xdp->data_meta; ++ unsigned int datasize = xdp->data_end - xdp->data; ++ unsigned int datasize_hard = xdp->data_end - xdp->data_hard_start; + struct sk_buff *skb; + + skb = __napi_alloc_skb(&rx_ring->q_vector->napi, datasize_hard, +@@ -441,13 +441,13 @@ ice_construct_skb_zc(struct ice_ring *rx_ring, struct ice_rx_buf *rx_buf) + if (unlikely(!skb)) + return NULL; + +- skb_reserve(skb, rx_buf->xdp->data - rx_buf->xdp->data_hard_start); +- memcpy(__skb_put(skb, datasize), rx_buf->xdp->data, datasize); ++ skb_reserve(skb, xdp->data - xdp->data_hard_start); ++ memcpy(__skb_put(skb, datasize), xdp->data, datasize); + if (metasize) + skb_metadata_set(skb, metasize); + +- xsk_buff_free(rx_buf->xdp); +- rx_buf->xdp = NULL; ++ xsk_buff_free(xdp); ++ *xdp_arr = NULL; + return skb; + } + +@@ -521,7 +521,7 @@ int ice_clean_rx_irq_zc(struct ice_ring *rx_ring, int budget) + while (likely(total_rx_packets < (unsigned int)budget)) { + union ice_32b_rx_flex_desc *rx_desc; + unsigned int size, xdp_res = 0; +- struct ice_rx_buf *rx_buf; ++ struct xdp_buff **xdp; + struct sk_buff *skb; + u16 stat_err_bits; + u16 vlan_tag = 0; +@@ -544,18 +544,18 @@ int ice_clean_rx_irq_zc(struct ice_ring *rx_ring, int budget) + if (!size) + break; + +- rx_buf = &rx_ring->rx_buf[rx_ring->next_to_clean]; +- rx_buf->xdp->data_end = rx_buf->xdp->data + size; +- xsk_buff_dma_sync_for_cpu(rx_buf->xdp, rx_ring->xsk_pool); ++ xdp = &rx_ring->xdp_buf[rx_ring->next_to_clean]; ++ (*xdp)->data_end = (*xdp)->data + size; ++ xsk_buff_dma_sync_for_cpu(*xdp, rx_ring->xsk_pool); + +- xdp_res = ice_run_xdp_zc(rx_ring, rx_buf->xdp); ++ xdp_res = ice_run_xdp_zc(rx_ring, *xdp); + if (xdp_res) { + if (xdp_res & (ICE_XDP_TX | ICE_XDP_REDIR)) + xdp_xmit |= xdp_res; + else +- xsk_buff_free(rx_buf->xdp); ++ xsk_buff_free(*xdp); + +- rx_buf->xdp = NULL; ++ *xdp = NULL; + total_rx_bytes += size; + total_rx_packets++; + cleaned_count++; +@@ -565,7 +565,7 @@ int ice_clean_rx_irq_zc(struct ice_ring *rx_ring, int budget) + } + + /* XDP_PASS path */ +- skb = ice_construct_skb_zc(rx_ring, rx_buf); ++ skb = ice_construct_skb_zc(rx_ring, xdp); + if (!skb) { + rx_ring->rx_stats.alloc_buf_failed++; + break; +@@ -813,12 +813,12 @@ void ice_xsk_clean_rx_ring(struct ice_ring *rx_ring) + u16 i; + + for (i = 0; i < rx_ring->count; i++) { +- struct ice_rx_buf *rx_buf = &rx_ring->rx_buf[i]; ++ struct xdp_buff **xdp = &rx_ring->xdp_buf[i]; + +- if (!rx_buf->xdp) ++ if (!xdp) + continue; + +- rx_buf->xdp = NULL; ++ *xdp = NULL; + } + } + +-- +2.34.1 + diff --git a/queue-5.15/ice-xsk-return-xsk-buffers-back-to-pool-when-cleanin.patch b/queue-5.15/ice-xsk-return-xsk-buffers-back-to-pool-when-cleanin.patch new file mode 100644 index 00000000000..085093ef36b --- /dev/null +++ b/queue-5.15/ice-xsk-return-xsk-buffers-back-to-pool-when-cleanin.patch @@ -0,0 +1,58 @@ +From e74f2c667a2e6ccd61b8f7c46ba4b4141746d22f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Dec 2021 16:31:06 +0100 +Subject: ice: xsk: return xsk buffers back to pool when cleaning the ring + +From: Maciej Fijalkowski + +[ Upstream commit afe8a3ba85ec2a6b6849367e25c06a2f8e0ddd05 ] + +Currently we only NULL the xdp_buff pointer in the internal SW ring but +we never give it back to the xsk buffer pool. This means that buffers +can be leaked out of the buff pool and never be used again. + +Add missing xsk_buff_free() call to the routine that is supposed to +clean the entries that are left in the ring so that these buffers in the +umem can be used by other sockets. + +Also, only go through the space that is actually left to be cleaned +instead of a whole ring. + +Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") +Signed-off-by: Magnus Karlsson +Signed-off-by: Maciej Fijalkowski +Tested-by: Kiran Bhandare +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index f4ab5259a56cc..37c7dc6b44a9f 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -810,14 +810,14 @@ bool ice_xsk_any_rx_ring_ena(struct ice_vsi *vsi) + */ + void ice_xsk_clean_rx_ring(struct ice_ring *rx_ring) + { +- u16 i; +- +- for (i = 0; i < rx_ring->count; i++) { +- struct xdp_buff **xdp = &rx_ring->xdp_buf[i]; ++ u16 count_mask = rx_ring->count - 1; ++ u16 ntc = rx_ring->next_to_clean; ++ u16 ntu = rx_ring->next_to_use; + +- if (!xdp) +- continue; ++ for ( ; ntc != ntu; ntc = (ntc + 1) & count_mask) { ++ struct xdp_buff **xdp = &rx_ring->xdp_buf[ntc]; + ++ xsk_buff_free(*xdp); + *xdp = NULL; + } + } +-- +2.34.1 + diff --git a/queue-5.15/igb-fix-deadlock-caused-by-taking-rtnl-in-rpm-resume.patch b/queue-5.15/igb-fix-deadlock-caused-by-taking-rtnl-in-rpm-resume.patch new file mode 100644 index 00000000000..bbcac4b8867 --- /dev/null +++ b/queue-5.15/igb-fix-deadlock-caused-by-taking-rtnl-in-rpm-resume.patch @@ -0,0 +1,102 @@ +From d0ad048b83b089e8c6c32f4e12e778f7568dec37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 12:18:44 -0800 +Subject: igb: fix deadlock caused by taking RTNL in RPM resume path + +From: Heiner Kallweit + +[ Upstream commit ac8c58f5b535d6272324e2b8b4a0454781c9147e ] + +Recent net core changes caused an issue with few Intel drivers +(reportedly igb), where taking RTNL in RPM resume path results in a +deadlock. See [0] for a bug report. I don't think the core changes +are wrong, but taking RTNL in RPM resume path isn't needed. +The Intel drivers are the only ones doing this. See [1] for a +discussion on the issue. Following patch changes the RPM resume path +to not take RTNL. + +[0] https://bugzilla.kernel.org/show_bug.cgi?id=215129 +[1] https://lore.kernel.org/netdev/20211125074949.5f897431@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com/t/ + +Fixes: bd869245a3dc ("net: core: try to runtime-resume detached device in __dev_open") +Fixes: f32a21376573 ("ethtool: runtime-resume netdev parent before ethtool ioctl ops") +Tested-by: Martin Stolpe +Signed-off-by: Heiner Kallweit +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20211220201844.2714498-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 533199d819501..82a712f77cb34 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9247,7 +9247,7 @@ static int __maybe_unused igb_suspend(struct device *dev) + return __igb_shutdown(to_pci_dev(dev), NULL, 0); + } + +-static int __maybe_unused igb_resume(struct device *dev) ++static int __maybe_unused __igb_resume(struct device *dev, bool rpm) + { + struct pci_dev *pdev = to_pci_dev(dev); + struct net_device *netdev = pci_get_drvdata(pdev); +@@ -9290,17 +9290,24 @@ static int __maybe_unused igb_resume(struct device *dev) + + wr32(E1000_WUS, ~0); + +- rtnl_lock(); ++ if (!rpm) ++ rtnl_lock(); + if (!err && netif_running(netdev)) + err = __igb_open(netdev, true); + + if (!err) + netif_device_attach(netdev); +- rtnl_unlock(); ++ if (!rpm) ++ rtnl_unlock(); + + return err; + } + ++static int __maybe_unused igb_resume(struct device *dev) ++{ ++ return __igb_resume(dev, false); ++} ++ + static int __maybe_unused igb_runtime_idle(struct device *dev) + { + struct net_device *netdev = dev_get_drvdata(dev); +@@ -9319,7 +9326,7 @@ static int __maybe_unused igb_runtime_suspend(struct device *dev) + + static int __maybe_unused igb_runtime_resume(struct device *dev) + { +- return igb_resume(dev); ++ return __igb_resume(dev, true); + } + + static void igb_shutdown(struct pci_dev *pdev) +@@ -9435,7 +9442,7 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, + * @pdev: Pointer to PCI device + * + * Restart the card from scratch, as if from a cold-boot. Implementation +- * resembles the first-half of the igb_resume routine. ++ * resembles the first-half of the __igb_resume routine. + **/ + static pci_ers_result_t igb_io_slot_reset(struct pci_dev *pdev) + { +@@ -9475,7 +9482,7 @@ static pci_ers_result_t igb_io_slot_reset(struct pci_dev *pdev) + * + * This callback is called when the error recovery driver tells us that + * its OK to resume normal operation. Implementation resembles the +- * second-half of the igb_resume routine. ++ * second-half of the __igb_resume routine. + */ + static void igb_io_resume(struct pci_dev *pdev) + { +-- +2.34.1 + diff --git a/queue-5.15/inet-fully-convert-sk-sk_rx_dst-to-rcu-rules.patch b/queue-5.15/inet-fully-convert-sk-sk_rx_dst-to-rcu-rules.patch new file mode 100644 index 00000000000..0e6632faefc --- /dev/null +++ b/queue-5.15/inet-fully-convert-sk-sk_rx_dst-to-rcu-rules.patch @@ -0,0 +1,441 @@ +From 24b3c0f2a801fa70a99b91b13605789abf472db0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 06:33:30 -0800 +Subject: inet: fully convert sk->sk_rx_dst to RCU rules + +From: Eric Dumazet + +[ Upstream commit 8f905c0e7354ef261360fb7535ea079b1082c105 ] + +syzbot reported various issues around early demux, +one being included in this changelog [1] + +sk->sk_rx_dst is using RCU protection without clearly +documenting it. + +And following sequences in tcp_v4_do_rcv()/tcp_v6_do_rcv() +are not following standard RCU rules. + +[a] dst_release(dst); +[b] sk->sk_rx_dst = NULL; + +They look wrong because a delete operation of RCU protected +pointer is supposed to clear the pointer before +the call_rcu()/synchronize_rcu() guarding actual memory freeing. + +In some cases indeed, dst could be freed before [b] is done. + +We could cheat by clearing sk_rx_dst before calling +dst_release(), but this seems the right time to stick +to standard RCU annotations and debugging facilities. + +[1] +BUG: KASAN: use-after-free in dst_check include/net/dst.h:470 [inline] +BUG: KASAN: use-after-free in tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792 +Read of size 2 at addr ffff88807f1cb73a by task syz-executor.5/9204 + +CPU: 0 PID: 9204 Comm: syz-executor.5 Not tainted 5.16.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 + __kasan_report mm/kasan/report.c:433 [inline] + kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 + dst_check include/net/dst.h:470 [inline] + tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792 + ip_rcv_finish_core.constprop.0+0x15de/0x1e80 net/ipv4/ip_input.c:340 + ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583 + ip_sublist_rcv net/ipv4/ip_input.c:609 [inline] + ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644 + __netif_receive_skb_list_ptype net/core/dev.c:5508 [inline] + __netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556 + __netif_receive_skb_list net/core/dev.c:5608 [inline] + netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699 + gro_normal_list net/core/dev.c:5853 [inline] + gro_normal_list net/core/dev.c:5849 [inline] + napi_complete_done+0x1f1/0x880 net/core/dev.c:6590 + virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline] + virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557 + __napi_poll+0xaf/0x440 net/core/dev.c:7023 + napi_poll net/core/dev.c:7090 [inline] + net_rx_action+0x801/0xb40 net/core/dev.c:7177 + __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 + invoke_softirq kernel/softirq.c:432 [inline] + __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 + irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 + common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240 + asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629 +RIP: 0033:0x7f5e972bfd57 +Code: 39 d1 73 14 0f 1f 80 00 00 00 00 48 8b 50 f8 48 83 e8 08 48 39 ca 77 f3 48 39 c3 73 3e 48 89 13 48 8b 50 f8 48 89 38 49 8b 0e <48> 8b 3e 48 83 c3 08 48 83 c6 08 eb bc 48 39 d1 72 9e 48 39 d0 73 +RSP: 002b:00007fff8a413210 EFLAGS: 00000283 +RAX: 00007f5e97108990 RBX: 00007f5e97108338 RCX: ffffffff81d3aa45 +RDX: ffffffff81d3aa45 RSI: 00007f5e97108340 RDI: ffffffff81d3aa45 +RBP: 00007f5e97107eb8 R08: 00007f5e97108d88 R09: 0000000093c2e8d9 +R10: 0000000000000000 R11: 0000000000000000 R12: 00007f5e97107eb0 +R13: 00007f5e97108338 R14: 00007f5e97107ea8 R15: 0000000000000019 + + +Allocated by task 13: + kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:46 [inline] + set_alloc_info mm/kasan/common.c:434 [inline] + __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467 + kasan_slab_alloc include/linux/kasan.h:259 [inline] + slab_post_alloc_hook mm/slab.h:519 [inline] + slab_alloc_node mm/slub.c:3234 [inline] + slab_alloc mm/slub.c:3242 [inline] + kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247 + dst_alloc+0x146/0x1f0 net/core/dst.c:92 + rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613 + ip_route_input_slow+0x1817/0x3a20 net/ipv4/route.c:2340 + ip_route_input_rcu net/ipv4/route.c:2470 [inline] + ip_route_input_noref+0x116/0x2a0 net/ipv4/route.c:2415 + ip_rcv_finish_core.constprop.0+0x288/0x1e80 net/ipv4/ip_input.c:354 + ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583 + ip_sublist_rcv net/ipv4/ip_input.c:609 [inline] + ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644 + __netif_receive_skb_list_ptype net/core/dev.c:5508 [inline] + __netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556 + __netif_receive_skb_list net/core/dev.c:5608 [inline] + netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699 + gro_normal_list net/core/dev.c:5853 [inline] + gro_normal_list net/core/dev.c:5849 [inline] + napi_complete_done+0x1f1/0x880 net/core/dev.c:6590 + virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline] + virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557 + __napi_poll+0xaf/0x440 net/core/dev.c:7023 + napi_poll net/core/dev.c:7090 [inline] + net_rx_action+0x801/0xb40 net/core/dev.c:7177 + __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 + +Freed by task 13: + kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 + kasan_set_track+0x21/0x30 mm/kasan/common.c:46 + kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 + ____kasan_slab_free mm/kasan/common.c:366 [inline] + ____kasan_slab_free mm/kasan/common.c:328 [inline] + __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374 + kasan_slab_free include/linux/kasan.h:235 [inline] + slab_free_hook mm/slub.c:1723 [inline] + slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749 + slab_free mm/slub.c:3513 [inline] + kmem_cache_free+0xbd/0x5d0 mm/slub.c:3530 + dst_destroy+0x2d6/0x3f0 net/core/dst.c:127 + rcu_do_batch kernel/rcu/tree.c:2506 [inline] + rcu_core+0x7ab/0x1470 kernel/rcu/tree.c:2741 + __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 + +Last potentially related work creation: + kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 + __kasan_record_aux_stack+0xf5/0x120 mm/kasan/generic.c:348 + __call_rcu kernel/rcu/tree.c:2985 [inline] + call_rcu+0xb1/0x740 kernel/rcu/tree.c:3065 + dst_release net/core/dst.c:177 [inline] + dst_release+0x79/0xe0 net/core/dst.c:167 + tcp_v4_do_rcv+0x612/0x8d0 net/ipv4/tcp_ipv4.c:1712 + sk_backlog_rcv include/net/sock.h:1030 [inline] + __release_sock+0x134/0x3b0 net/core/sock.c:2768 + release_sock+0x54/0x1b0 net/core/sock.c:3300 + tcp_sendmsg+0x36/0x40 net/ipv4/tcp.c:1441 + inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:724 + sock_write_iter+0x289/0x3c0 net/socket.c:1057 + call_write_iter include/linux/fs.h:2162 [inline] + new_sync_write+0x429/0x660 fs/read_write.c:503 + vfs_write+0x7cd/0xae0 fs/read_write.c:590 + ksys_write+0x1ee/0x250 fs/read_write.c:643 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The buggy address belongs to the object at ffff88807f1cb700 + which belongs to the cache ip_dst_cache of size 176 +The buggy address is located 58 bytes inside of + 176-byte region [ffff88807f1cb700, ffff88807f1cb7b0) +The buggy address belongs to the page: +page:ffffea0001fc72c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f1cb +flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) +raw: 00fff00000000200 dead000000000100 dead000000000122 ffff8881413bb780 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 5, ts 108466983062, free_ts 108048976062 + prep_new_page mm/page_alloc.c:2418 [inline] + get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149 + __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369 + alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191 + alloc_slab_page mm/slub.c:1793 [inline] + allocate_slab mm/slub.c:1930 [inline] + new_slab+0x32d/0x4a0 mm/slub.c:1993 + ___slab_alloc+0x918/0xfe0 mm/slub.c:3022 + __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109 + slab_alloc_node mm/slub.c:3200 [inline] + slab_alloc mm/slub.c:3242 [inline] + kmem_cache_alloc+0x35c/0x3a0 mm/slub.c:3247 + dst_alloc+0x146/0x1f0 net/core/dst.c:92 + rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613 + __mkroute_output net/ipv4/route.c:2564 [inline] + ip_route_output_key_hash_rcu+0x921/0x2d00 net/ipv4/route.c:2791 + ip_route_output_key_hash+0x18b/0x300 net/ipv4/route.c:2619 + __ip_route_output_key include/net/route.h:126 [inline] + ip_route_output_flow+0x23/0x150 net/ipv4/route.c:2850 + ip_route_output_key include/net/route.h:142 [inline] + geneve_get_v4_rt+0x3a6/0x830 drivers/net/geneve.c:809 + geneve_xmit_skb drivers/net/geneve.c:899 [inline] + geneve_xmit+0xc4a/0x3540 drivers/net/geneve.c:1082 + __netdev_start_xmit include/linux/netdevice.h:4994 [inline] + netdev_start_xmit include/linux/netdevice.h:5008 [inline] + xmit_one net/core/dev.c:3590 [inline] + dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3606 + __dev_queue_xmit+0x299a/0x3650 net/core/dev.c:4229 +page last free stack trace: + reset_page_owner include/linux/page_owner.h:24 [inline] + free_pages_prepare mm/page_alloc.c:1338 [inline] + free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389 + free_unref_page_prepare mm/page_alloc.c:3309 [inline] + free_unref_page+0x19/0x690 mm/page_alloc.c:3388 + qlink_free mm/kasan/quarantine.c:146 [inline] + qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165 + kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272 + __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:444 + kasan_slab_alloc include/linux/kasan.h:259 [inline] + slab_post_alloc_hook mm/slab.h:519 [inline] + slab_alloc_node mm/slub.c:3234 [inline] + kmem_cache_alloc_node+0x255/0x3f0 mm/slub.c:3270 + __alloc_skb+0x215/0x340 net/core/skbuff.c:414 + alloc_skb include/linux/skbuff.h:1126 [inline] + alloc_skb_with_frags+0x93/0x620 net/core/skbuff.c:6078 + sock_alloc_send_pskb+0x783/0x910 net/core/sock.c:2575 + mld_newpack+0x1df/0x770 net/ipv6/mcast.c:1754 + add_grhead+0x265/0x330 net/ipv6/mcast.c:1857 + add_grec+0x1053/0x14e0 net/ipv6/mcast.c:1995 + mld_send_initial_cr.part.0+0xf6/0x230 net/ipv6/mcast.c:2242 + mld_send_initial_cr net/ipv6/mcast.c:1232 [inline] + mld_dad_work+0x1d3/0x690 net/ipv6/mcast.c:2268 + process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 + worker_thread+0x658/0x11f0 kernel/workqueue.c:2445 + +Memory state around the buggy address: + ffff88807f1cb600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88807f1cb680: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc +>ffff88807f1cb700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88807f1cb780: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc + ffff88807f1cb800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20211220143330.680945-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 2 +- + net/ipv4/af_inet.c | 2 +- + net/ipv4/tcp.c | 3 +-- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_ipv4.c | 11 +++++++---- + net/ipv4/udp.c | 6 +++--- + net/ipv6/tcp_ipv6.c | 11 +++++++---- + net/ipv6/udp.c | 4 ++-- + 8 files changed, 23 insertions(+), 18 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 796f859c69dd7..dfb92f91d5be5 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -432,7 +432,7 @@ struct sock { + #ifdef CONFIG_XFRM + struct xfrm_policy __rcu *sk_policy[2]; + #endif +- struct dst_entry *sk_rx_dst; ++ struct dst_entry __rcu *sk_rx_dst; + int sk_rx_dst_ifindex; + u32 sk_rx_dst_cookie; + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 64062b7ce61df..3a9422a5873eb 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -158,7 +158,7 @@ void inet_sock_destruct(struct sock *sk) + + kfree(rcu_dereference_protected(inet->inet_opt, 1)); + dst_release(rcu_dereference_protected(sk->sk_dst_cache, 1)); +- dst_release(sk->sk_rx_dst); ++ dst_release(rcu_dereference_protected(sk->sk_rx_dst, 1)); + sk_refcnt_debug_dec(sk); + } + EXPORT_SYMBOL(inet_sock_destruct); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 844c6e5a82891..f48f1059b31a6 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3039,8 +3039,7 @@ int tcp_disconnect(struct sock *sk, int flags) + icsk->icsk_ack.rcv_mss = TCP_MIN_MSS; + memset(&tp->rx_opt, 0, sizeof(tp->rx_opt)); + __sk_dst_reset(sk); +- dst_release(sk->sk_rx_dst); +- sk->sk_rx_dst = NULL; ++ dst_release(xchg((__force struct dst_entry **)&sk->sk_rx_dst, NULL)); + tcp_saved_syn_free(tp); + tp->compressed_ack = 0; + tp->segs_in = 0; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 141e85e6422b1..f3b6239674361 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5770,7 +5770,7 @@ void tcp_rcv_established(struct sock *sk, struct sk_buff *skb) + trace_tcp_probe(sk, skb); + + tcp_mstamp_refresh(tp); +- if (unlikely(!sk->sk_rx_dst)) ++ if (unlikely(!rcu_access_pointer(sk->sk_rx_dst))) + inet_csk(sk)->icsk_af_ops->sk_rx_dst_set(sk, skb); + /* + * Header prediction. +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index f6838eec6ef73..0fe9461647da5 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1698,7 +1698,10 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb) + struct sock *rsk; + + if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */ +- struct dst_entry *dst = sk->sk_rx_dst; ++ struct dst_entry *dst; ++ ++ dst = rcu_dereference_protected(sk->sk_rx_dst, ++ lockdep_sock_is_held(sk)); + + sock_rps_save_rxhash(sk, skb); + sk_mark_napi_id(sk, skb); +@@ -1706,8 +1709,8 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb) + if (sk->sk_rx_dst_ifindex != skb->skb_iif || + !INDIRECT_CALL_1(dst->ops->check, ipv4_dst_check, + dst, 0)) { ++ RCU_INIT_POINTER(sk->sk_rx_dst, NULL); + dst_release(dst); +- sk->sk_rx_dst = NULL; + } + } + tcp_rcv_established(sk, skb); +@@ -1783,7 +1786,7 @@ int tcp_v4_early_demux(struct sk_buff *skb) + skb->sk = sk; + skb->destructor = sock_edemux; + if (sk_fullsock(sk)) { +- struct dst_entry *dst = READ_ONCE(sk->sk_rx_dst); ++ struct dst_entry *dst = rcu_dereference(sk->sk_rx_dst); + + if (dst) + dst = dst_check(dst, 0); +@@ -2200,7 +2203,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) + struct dst_entry *dst = skb_dst(skb); + + if (dst && dst_hold_safe(dst)) { +- sk->sk_rx_dst = dst; ++ rcu_assign_pointer(sk->sk_rx_dst, dst); + sk->sk_rx_dst_ifindex = skb->skb_iif; + } + } +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 3f6823bdd31e5..be07e3d2b77bc 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2251,7 +2251,7 @@ bool udp_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst) + struct dst_entry *old; + + if (dst_hold_safe(dst)) { +- old = xchg(&sk->sk_rx_dst, dst); ++ old = xchg((__force struct dst_entry **)&sk->sk_rx_dst, dst); + dst_release(old); + return old != dst; + } +@@ -2441,7 +2441,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + struct dst_entry *dst = skb_dst(skb); + int ret; + +- if (unlikely(sk->sk_rx_dst != dst)) ++ if (unlikely(rcu_dereference(sk->sk_rx_dst) != dst)) + udp_sk_rx_dst_set(sk, dst); + + ret = udp_unicast_rcv_skb(sk, skb, uh); +@@ -2600,7 +2600,7 @@ int udp_v4_early_demux(struct sk_buff *skb) + + skb->sk = sk; + skb->destructor = sock_efree; +- dst = READ_ONCE(sk->sk_rx_dst); ++ dst = rcu_dereference(sk->sk_rx_dst); + + if (dst) + dst = dst_check(dst, 0); +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 42eafe35415d1..8eedf59e9cf25 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -107,7 +107,7 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) + if (dst && dst_hold_safe(dst)) { + const struct rt6_info *rt = (const struct rt6_info *)dst; + +- sk->sk_rx_dst = dst; ++ rcu_assign_pointer(sk->sk_rx_dst, dst); + sk->sk_rx_dst_ifindex = skb->skb_iif; + sk->sk_rx_dst_cookie = rt6_get_cookie(rt); + } +@@ -1504,7 +1504,10 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) + opt_skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC)); + + if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */ +- struct dst_entry *dst = sk->sk_rx_dst; ++ struct dst_entry *dst; ++ ++ dst = rcu_dereference_protected(sk->sk_rx_dst, ++ lockdep_sock_is_held(sk)); + + sock_rps_save_rxhash(sk, skb); + sk_mark_napi_id(sk, skb); +@@ -1512,8 +1515,8 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) + if (sk->sk_rx_dst_ifindex != skb->skb_iif || + INDIRECT_CALL_1(dst->ops->check, ip6_dst_check, + dst, sk->sk_rx_dst_cookie) == NULL) { ++ RCU_INIT_POINTER(sk->sk_rx_dst, NULL); + dst_release(dst); +- sk->sk_rx_dst = NULL; + } + } + +@@ -1875,7 +1878,7 @@ INDIRECT_CALLABLE_SCOPE void tcp_v6_early_demux(struct sk_buff *skb) + skb->sk = sk; + skb->destructor = sock_edemux; + if (sk_fullsock(sk)) { +- struct dst_entry *dst = READ_ONCE(sk->sk_rx_dst); ++ struct dst_entry *dst = rcu_dereference(sk->sk_rx_dst); + + if (dst) + dst = dst_check(dst, sk->sk_rx_dst_cookie); +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 12c12619ee357..7bee95d8d2df0 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -956,7 +956,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + struct dst_entry *dst = skb_dst(skb); + int ret; + +- if (unlikely(sk->sk_rx_dst != dst)) ++ if (unlikely(rcu_dereference(sk->sk_rx_dst) != dst)) + udp6_sk_rx_dst_set(sk, dst); + + if (!uh->check && !udp_sk(sk)->no_check6_rx) { +@@ -1070,7 +1070,7 @@ INDIRECT_CALLABLE_SCOPE void udp_v6_early_demux(struct sk_buff *skb) + + skb->sk = sk; + skb->destructor = sock_efree; +- dst = READ_ONCE(sk->sk_rx_dst); ++ dst = rcu_dereference(sk->sk_rx_dst); + + if (dst) + dst = dst_check(dst, sk->sk_rx_dst_cookie); +-- +2.34.1 + diff --git a/queue-5.15/io_uring-zero-iocb-ki_pos-for-stream-file-types.patch b/queue-5.15/io_uring-zero-iocb-ki_pos-for-stream-file-types.patch new file mode 100644 index 00000000000..272171427ac --- /dev/null +++ b/queue-5.15/io_uring-zero-iocb-ki_pos-for-stream-file-types.patch @@ -0,0 +1,51 @@ +From 89cd295ff6066f01103f802e943ef5b915313d15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 20:26:56 -0700 +Subject: io_uring: zero iocb->ki_pos for stream file types + +From: Jens Axboe + +[ Upstream commit 7b9762a5e8837b92a027d58d396a9d27f6440c36 ] + +io_uring supports using offset == -1 for using the current file position, +and we read that in as part of read/write command setup. For the non-iter +read/write types we pass in NULL for the position pointer, but for the +iter types we should not be passing any anything but 0 for the position +for a stream. + +Clear kiocb->ki_pos if the file is a stream, don't leave it as -1. If we +do, then the request will error with -ESPIPE. + +Fixes: ba04291eb66e ("io_uring: allow use of offset == -1 to mean file position") +Link: https://github.com/axboe/liburing/discussions/501 +Reported-by: Samuel Williams +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index e9b06e339c4b0..0006fc7479ca3 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2879,9 +2879,13 @@ static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe, + req->flags |= REQ_F_ISREG; + + kiocb->ki_pos = READ_ONCE(sqe->off); +- if (kiocb->ki_pos == -1 && !(file->f_mode & FMODE_STREAM)) { +- req->flags |= REQ_F_CUR_POS; +- kiocb->ki_pos = file->f_pos; ++ if (kiocb->ki_pos == -1) { ++ if (!(file->f_mode & FMODE_STREAM)) { ++ req->flags |= REQ_F_CUR_POS; ++ kiocb->ki_pos = file->f_pos; ++ } else { ++ kiocb->ki_pos = 0; ++ } + } + kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp)); + kiocb->ki_flags = iocb_flags(kiocb->ki_filp); +-- +2.34.1 + diff --git a/queue-5.15/ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch b/queue-5.15/ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch new file mode 100644 index 00000000000..457a45fd7dc --- /dev/null +++ b/queue-5.15/ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch @@ -0,0 +1,143 @@ +From 2e69c92867126053978409f45a1374861c4d7a02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Dec 2021 15:00:34 +0800 +Subject: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module + +From: Wu Bo + +[ Upstream commit ffb76a86f8096a8206be03b14adda6092e18e275 ] + +Hi, + +When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko, +the system crashed. + +The log as follows: +[ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a +[ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0 +[ 141.087464] Oops: 0010 [#1] SMP NOPTI +[ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47 +[ 141.088009] Workqueue: events 0xffffffffc09b3a40 +[ 141.088009] RIP: 0010:0xffffffffc09b3a5a +[ 141.088009] Code: Bad RIP value. +[ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246 +[ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000 +[ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 +[ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1 +[ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700 +[ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8 +[ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000 +[ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0 +[ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 141.088009] PKRU: 55555554 +[ 141.088009] Call Trace: +[ 141.088009] ? process_one_work+0x195/0x390 +[ 141.088009] ? worker_thread+0x30/0x390 +[ 141.088009] ? process_one_work+0x390/0x390 +[ 141.088009] ? kthread+0x10d/0x130 +[ 141.088009] ? kthread_flush_work_fn+0x10/0x10 +[ 141.088009] ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a +[ 200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0 +[ 200.223464] Oops: 0010 [#1] SMP NOPTI +[ 200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46 +[ 200.224008] Workqueue: events 0xffffffffc0b28a40 +[ 200.224008] RIP: 0010:0xffffffffc0b28a5a +[ 200.224008] Code: Bad RIP value. +[ 200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246 +[ 200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000 +[ 200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 +[ 200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5 +[ 200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700 +[ 200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8 +[ 200.224008] FS: 0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000 +[ 200.224008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0 +[ 200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 200.224008] PKRU: 55555554 +[ 200.224008] Call Trace: +[ 200.224008] ? process_one_work+0x195/0x390 +[ 200.224008] ? worker_thread+0x30/0x390 +[ 200.224008] ? process_one_work+0x390/0x390 +[ 200.224008] ? kthread+0x10d/0x130 +[ 200.224008] ? kthread_flush_work_fn+0x10/0x10 +[ 200.224008] ? ret_from_fork+0x35/0x40 +[ 200.224008] kernel fault(0x1) notification starting on CPU 63 +[ 200.224008] kernel fault(0x1) notification finished on CPU 63 +[ 200.224008] CR2: ffffffffc0b28a5a +[ 200.224008] ---[ end trace c82a412d93f57412 ]--- + +The reason is as follows: +T1: rmmod ipmi_si. + ->ipmi_unregister_smi() + -> ipmi_bmc_unregister() + -> __ipmi_bmc_unregister() + -> kref_put(&bmc->usecount, cleanup_bmc_device); + -> schedule_work(&bmc->remove_work); + +T2: rmmod ipmi_msghandler. + ipmi_msghander module uninstalled, and the module space + will be freed. + +T3: bmc->remove_work doing cleanup the bmc resource. + -> cleanup_bmc_work() + -> platform_device_unregister(&bmc->pdev); + -> platform_device_del(pdev); + -> device_del(&pdev->dev); + -> kobject_uevent(&dev->kobj, KOBJ_REMOVE); + -> kobject_uevent_env() + -> dev_uevent() + -> if (dev->type && dev->type->name) + + 'dev->type'(bmc_device_type) pointer space has freed when uninstall + ipmi_msghander module, 'dev->type->name' cause the system crash. + +drivers/char/ipmi/ipmi_msghandler.c: +2820 static const struct device_type bmc_device_type = { +2821 .groups = bmc_dev_attr_groups, +2822 }; + +Steps to reproduce: +Add a time delay in cleanup_bmc_work() function, +and uninstall ipmi_si and ipmi_msghandler module. + +2910 static void cleanup_bmc_work(struct work_struct *work) +2911 { +2912 struct bmc_device *bmc = container_of(work, struct bmc_device, +2913 remove_work); +2914 int id = bmc->pdev.id; /* Unregister overwrites id */ +2915 +2916 msleep(3000); <--- +2917 platform_device_unregister(&bmc->pdev); +2918 ida_simple_remove(&ipmi_bmc_ida, id); +2919 } + +Use 'remove_work_wq' instead of 'system_wq' to solve this issues. + +Fixes: b2cfd8ab4add ("ipmi: Rework device id and guid handling to catch changing BMCs") +Signed-off-by: Wu Bo +Message-Id: <1640070034-56671-1-git-send-email-wubo40@huawei.com> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index b404cc46cbda7..ca13536ad0008 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -2932,7 +2932,7 @@ cleanup_bmc_device(struct kref *ref) + * with removing the device attributes while reading a device + * attribute. + */ +- schedule_work(&bmc->remove_work); ++ queue_work(remove_work_wq, &bmc->remove_work); + } + + /* +-- +2.34.1 + diff --git a/queue-5.15/ipv6-move-inet6_sk-sk-rx_dst_cookie-to-sk-sk_rx_dst_.patch b/queue-5.15/ipv6-move-inet6_sk-sk-rx_dst_cookie-to-sk-sk_rx_dst_.patch new file mode 100644 index 00000000000..d9fc86b02fd --- /dev/null +++ b/queue-5.15/ipv6-move-inet6_sk-sk-rx_dst_cookie-to-sk-sk_rx_dst_.patch @@ -0,0 +1,112 @@ +From 210234b82f25ea4072e89722fc62f50e1c171dad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 09:48:17 -0700 +Subject: ipv6: move inet6_sk(sk)->rx_dst_cookie to sk->sk_rx_dst_cookie + +From: Eric Dumazet + +[ Upstream commit ef57c1610dd8fba5031bf71e0db73356190de151 ] + +Increase cache locality by moving rx_dst_coookie next to sk->sk_rx_dst + +This removes one or two cache line misses in IPv6 early demux (TCP/UDP) + +Signed-off-by: Eric Dumazet +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/ipv6.h | 1 - + include/net/sock.h | 2 ++ + net/ipv6/tcp_ipv6.c | 6 +++--- + net/ipv6/udp.c | 4 ++-- + 4 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h +index ef4a69865737c..c383630d3f065 100644 +--- a/include/linux/ipv6.h ++++ b/include/linux/ipv6.h +@@ -282,7 +282,6 @@ struct ipv6_pinfo { + __be32 rcv_flowinfo; + + __u32 dst_cookie; +- __u32 rx_dst_cookie; + + struct ipv6_mc_socklist __rcu *ipv6_mc_list; + struct ipv6_ac_socklist *ipv6_ac_list; +diff --git a/include/net/sock.h b/include/net/sock.h +index 752601265a955..796f859c69dd7 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -260,6 +260,7 @@ struct bpf_local_storage; + * @sk_wq: sock wait queue and async head + * @sk_rx_dst: receive input route used by early demux + * @sk_rx_dst_ifindex: ifindex for @sk_rx_dst ++ * @sk_rx_dst_cookie: cookie for @sk_rx_dst + * @sk_dst_cache: destination cache + * @sk_dst_pending_confirm: need to confirm neighbour + * @sk_policy: flow policy +@@ -433,6 +434,7 @@ struct sock { + #endif + struct dst_entry *sk_rx_dst; + int sk_rx_dst_ifindex; ++ u32 sk_rx_dst_cookie; + + struct dst_entry __rcu *sk_dst_cache; + atomic_t sk_omem_alloc; +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index c72586ee517ba..42eafe35415d1 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -109,7 +109,7 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) + + sk->sk_rx_dst = dst; + sk->sk_rx_dst_ifindex = skb->skb_iif; +- tcp_inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt); ++ sk->sk_rx_dst_cookie = rt6_get_cookie(rt); + } + } + +@@ -1511,7 +1511,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) + if (dst) { + if (sk->sk_rx_dst_ifindex != skb->skb_iif || + INDIRECT_CALL_1(dst->ops->check, ip6_dst_check, +- dst, np->rx_dst_cookie) == NULL) { ++ dst, sk->sk_rx_dst_cookie) == NULL) { + dst_release(dst); + sk->sk_rx_dst = NULL; + } +@@ -1878,7 +1878,7 @@ INDIRECT_CALLABLE_SCOPE void tcp_v6_early_demux(struct sk_buff *skb) + struct dst_entry *dst = READ_ONCE(sk->sk_rx_dst); + + if (dst) +- dst = dst_check(dst, tcp_inet6_sk(sk)->rx_dst_cookie); ++ dst = dst_check(dst, sk->sk_rx_dst_cookie); + if (dst && + sk->sk_rx_dst_ifindex == skb->skb_iif) + skb_dst_set_noref(skb, dst); +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index be6dc64ece29f..12c12619ee357 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -884,7 +884,7 @@ static void udp6_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst) + if (udp_sk_rx_dst_set(sk, dst)) { + const struct rt6_info *rt = (const struct rt6_info *)dst; + +- inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt); ++ sk->sk_rx_dst_cookie = rt6_get_cookie(rt); + } + } + +@@ -1073,7 +1073,7 @@ INDIRECT_CALLABLE_SCOPE void udp_v6_early_demux(struct sk_buff *skb) + dst = READ_ONCE(sk->sk_rx_dst); + + if (dst) +- dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie); ++ dst = dst_check(dst, sk->sk_rx_dst_cookie); + if (dst) { + /* set noref for now. + * any place which wants to hold dst has to call +-- +2.34.1 + diff --git a/queue-5.15/net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch b/queue-5.15/net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch new file mode 100644 index 00000000000..13bf2e4d168 --- /dev/null +++ b/queue-5.15/net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch @@ -0,0 +1,75 @@ +From b958bc01efdcd0f8d52eae364d969d7f48c433d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 09:49:01 -0500 +Subject: net: accept UFOv6 packages in virtio_net_hdr_to_skb + +From: Willem de Bruijn + +[ Upstream commit 7e5cced9ca84df52d874aca6b632f930b3dc5bc6 ] + +Skb with skb->protocol 0 at the time of virtio_net_hdr_to_skb may have +a protocol inferred from virtio_net_hdr with virtio_net_hdr_set_proto. + +Unlike TCP, UDP does not have separate types for IPv4 and IPv6. Type +VIRTIO_NET_HDR_GSO_UDP is guessed to be IPv4/UDP. As of the below +commit, UFOv6 packets are dropped due to not matching the protocol as +obtained from dev_parse_header_protocol. + +Invert the test to take that L2 protocol field as starting point and +pass both UFOv4 and UFOv6 for VIRTIO_NET_HDR_GSO_UDP. + +Fixes: 924a9bc362a5 ("net: check if protocol extracted by virtio_net_hdr_set_proto is correct") +Link: https://lore.kernel.org/netdev/CABcq3pG9GRCYqFDBAJ48H1vpnnX=41u+MhQnayF1ztLH4WX0Fw@mail.gmail.com/ +Reported-by: Andrew Melnichenko +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20211220144901.2784030-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/virtio_net.h | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h +index 04e87f4b9417c..22dd48c825600 100644 +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -7,6 +7,21 @@ + #include + #include + ++static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_type) ++{ ++ switch (gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { ++ case VIRTIO_NET_HDR_GSO_TCPV4: ++ return protocol == cpu_to_be16(ETH_P_IP); ++ case VIRTIO_NET_HDR_GSO_TCPV6: ++ return protocol == cpu_to_be16(ETH_P_IPV6); ++ case VIRTIO_NET_HDR_GSO_UDP: ++ return protocol == cpu_to_be16(ETH_P_IP) || ++ protocol == cpu_to_be16(ETH_P_IPV6); ++ default: ++ return false; ++ } ++} ++ + static inline int virtio_net_hdr_set_proto(struct sk_buff *skb, + const struct virtio_net_hdr *hdr) + { +@@ -88,9 +103,12 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, + if (!skb->protocol) { + __be16 protocol = dev_parse_header_protocol(skb); + +- virtio_net_hdr_set_proto(skb, hdr); +- if (protocol && protocol != skb->protocol) ++ if (!protocol) ++ virtio_net_hdr_set_proto(skb, hdr); ++ else if (!virtio_net_hdr_match_proto(protocol, hdr->gso_type)) + return -EINVAL; ++ else ++ skb->protocol = protocol; + } + retry: + if (!skb_flow_dissect_flow_keys_basic(NULL, skb, &keys, +-- +2.34.1 + diff --git a/queue-5.15/net-bridge-fix-ioctl-old_deviceless-bridge-argument.patch b/queue-5.15/net-bridge-fix-ioctl-old_deviceless-bridge-argument.patch new file mode 100644 index 00000000000..073a7280071 --- /dev/null +++ b/queue-5.15/net-bridge-fix-ioctl-old_deviceless-bridge-argument.patch @@ -0,0 +1,57 @@ +From 29a91cd9787711f0c23d282876f34300f39c691d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Dec 2021 16:31:38 +0100 +Subject: net: bridge: fix ioctl old_deviceless bridge argument + +From: Remi Pommarel + +[ Upstream commit d95a56207c078e2019cf6659d890ec1e987e8420 ] + +Commit 561d8352818f ("bridge: use ndo_siocdevprivate") changed the +source and destination arguments of copy_{to,from}_user in bridge's +old_deviceless() from args[1] to uarg breaking SIOC{G,S}IFBR ioctls. + +Commit cbd7ad29a507 ("net: bridge: fix ioctl old_deviceless bridge +argument") fixed only BRCTL_{ADD,DEL}_BRIDGES commands leaving +BRCTL_GET_BRIDGES one untouched. + +The fixes BRCTL_GET_BRIDGES as well and has been tested with busybox's +brctl. + +Example of broken brctl: +$ brctl show +bridge name bridge id STP enabled interfaces +brctl: can't get bridge name for index 0: No such device or address + +Example of fixed brctl: +$ brctl show +bridge name bridge id STP enabled interfaces +br0 8000.000000000000 no + +Fixes: 561d8352818f ("bridge: use ndo_siocdevprivate") +Signed-off-by: Remi Pommarel +Reviewed-by: Arnd Bergmann +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/all/20211223153139.7661-2-repk@triplefau.lt/ +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c +index 49c268871fc11..9922497e59f8c 100644 +--- a/net/bridge/br_ioctl.c ++++ b/net/bridge/br_ioctl.c +@@ -337,7 +337,7 @@ static int old_deviceless(struct net *net, void __user *uarg) + + args[2] = get_bridge_ifindices(net, indices, args[2]); + +- ret = copy_to_user(uarg, indices, ++ ret = copy_to_user((void __user *)args[1], indices, + array_size(args[2], sizeof(int))) + ? -EFAULT : args[2]; + +-- +2.34.1 + diff --git a/queue-5.15/net-bridge-use-array_size-helper-in-copy_to_user.patch b/queue-5.15/net-bridge-use-array_size-helper-in-copy_to_user.patch new file mode 100644 index 00000000000..64a2bc74368 --- /dev/null +++ b/queue-5.15/net-bridge-use-array_size-helper-in-copy_to_user.patch @@ -0,0 +1,57 @@ +From 92e509ceb8674e14d64b8ade9bdcb5b476ae881c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 15:12:39 -0500 +Subject: net: bridge: Use array_size() helper in copy_to_user() + +From: Gustavo A. R. Silva + +[ Upstream commit 865bfb2affa8eff5182b29aa90803a2df4409834 ] + +Use array_size() helper instead of the open-coded version in +copy_to_user(). These sorts of multiplication factors need +to be wrapped in array_size(). + +Link: https://github.com/KSPP/linux/issues/160 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_ioctl.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c +index 793b0db9d9a36..49c268871fc11 100644 +--- a/net/bridge/br_ioctl.c ++++ b/net/bridge/br_ioctl.c +@@ -71,7 +71,8 @@ static int get_fdb_entries(struct net_bridge *br, void __user *userbuf, + + num = br_fdb_fillbuf(br, buf, maxnum, offset); + if (num > 0) { +- if (copy_to_user(userbuf, buf, num*sizeof(struct __fdb_entry))) ++ if (copy_to_user(userbuf, buf, ++ array_size(num, sizeof(struct __fdb_entry)))) + num = -EFAULT; + } + kfree(buf); +@@ -188,7 +189,7 @@ int br_dev_siocdevprivate(struct net_device *dev, struct ifreq *rq, void __user + return -ENOMEM; + + get_port_ifindices(br, indices, num); +- if (copy_to_user(argp, indices, num * sizeof(int))) ++ if (copy_to_user(argp, indices, array_size(num, sizeof(int)))) + num = -EFAULT; + kfree(indices); + return num; +@@ -336,7 +337,8 @@ static int old_deviceless(struct net *net, void __user *uarg) + + args[2] = get_bridge_ifindices(net, indices, args[2]); + +- ret = copy_to_user(uarg, indices, args[2]*sizeof(int)) ++ ret = copy_to_user(uarg, indices, ++ array_size(args[2], sizeof(int))) + ? -EFAULT : args[2]; + + kfree(indices); +-- +2.34.1 + diff --git a/queue-5.15/net-ks8851-check-for-error-irq.patch b/queue-5.15/net-ks8851-check-for-error-irq.patch new file mode 100644 index 00000000000..2362fdc7a90 --- /dev/null +++ b/queue-5.15/net-ks8851-check-for-error-irq.patch @@ -0,0 +1,37 @@ +From e4d75dfcf17720523f8ee2c989968c61436e4d5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 15:59:44 +0800 +Subject: net: ks8851: Check for error irq + +From: Jiasheng Jiang + +[ Upstream commit 99d7fbb5cedf598f67e8be106d6c7b8d91366aef ] + +Because platform_get_irq() could fail and return error irq. +Therefore, it might be better to check it if order to avoid the use of +error irq. + +Fixes: 797047f875b5 ("net: ks8851: Implement Parallel bus operations") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/micrel/ks8851_par.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/micrel/ks8851_par.c b/drivers/net/ethernet/micrel/ks8851_par.c +index 2e8fcce50f9d1..c6f517c07bb9a 100644 +--- a/drivers/net/ethernet/micrel/ks8851_par.c ++++ b/drivers/net/ethernet/micrel/ks8851_par.c +@@ -321,6 +321,8 @@ static int ks8851_probe_par(struct platform_device *pdev) + return ret; + + netdev->irq = platform_get_irq(pdev, 0); ++ if (netdev->irq < 0) ++ return netdev->irq; + + return ks8851_probe_common(netdev, dev, msg_enable); + } +-- +2.34.1 + diff --git a/queue-5.15/net-marvell-prestera-fix-incorrect-return-of-port_fi.patch b/queue-5.15/net-marvell-prestera-fix-incorrect-return-of-port_fi.patch new file mode 100644 index 00000000000..127f61ceb67 --- /dev/null +++ b/queue-5.15/net-marvell-prestera-fix-incorrect-return-of-port_fi.patch @@ -0,0 +1,64 @@ +From d674f153f2a12c19ee185534bcbd60f3849332e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 19:07:36 +0200 +Subject: net: marvell: prestera: fix incorrect return of port_find + +From: Yevhen Orlov + +[ Upstream commit 8b681bd7c301c423fbe97a6b23388a2180ff04ca ] + +In case, when some ports is in list and we don't find requested - we +return last iterator state and not return NULL as expected. + +Fixes: 501ef3066c89 ("net: marvell: prestera: Add driver for Prestera family ASIC devices") +Signed-off-by: Yevhen Orlov +Link: https://lore.kernel.org/r/20211216170736.8851-1-yevhen.orlov@plvision.eu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/prestera/prestera_main.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c +index 44c670807fb3c..f6d2f928c5b83 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_main.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c +@@ -54,12 +54,14 @@ int prestera_port_pvid_set(struct prestera_port *port, u16 vid) + struct prestera_port *prestera_port_find_by_hwid(struct prestera_switch *sw, + u32 dev_id, u32 hw_id) + { +- struct prestera_port *port = NULL; ++ struct prestera_port *port = NULL, *tmp; + + read_lock(&sw->port_list_lock); +- list_for_each_entry(port, &sw->port_list, list) { +- if (port->dev_id == dev_id && port->hw_id == hw_id) ++ list_for_each_entry(tmp, &sw->port_list, list) { ++ if (tmp->dev_id == dev_id && tmp->hw_id == hw_id) { ++ port = tmp; + break; ++ } + } + read_unlock(&sw->port_list_lock); + +@@ -68,12 +70,14 @@ struct prestera_port *prestera_port_find_by_hwid(struct prestera_switch *sw, + + struct prestera_port *prestera_find_port(struct prestera_switch *sw, u32 id) + { +- struct prestera_port *port = NULL; ++ struct prestera_port *port = NULL, *tmp; + + read_lock(&sw->port_list_lock); +- list_for_each_entry(port, &sw->port_list, list) { +- if (port->id == id) ++ list_for_each_entry(tmp, &sw->port_list, list) { ++ if (tmp->id == id) { ++ port = tmp; + break; ++ } + } + read_unlock(&sw->port_list_lock); + +-- +2.34.1 + diff --git a/queue-5.15/net-marvell-prestera-fix-incorrect-structure-access.patch b/queue-5.15/net-marvell-prestera-fix-incorrect-structure-access.patch new file mode 100644 index 00000000000..022bf27167e --- /dev/null +++ b/queue-5.15/net-marvell-prestera-fix-incorrect-structure-access.patch @@ -0,0 +1,113 @@ +From b453a10f2938d36dea49bde2c14b37f137b0f7c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 19:17:14 +0200 +Subject: net: marvell: prestera: fix incorrect structure access + +From: Yevhen Orlov + +[ Upstream commit 2efc2256febf214e7b2bdaa21fe6c3c3146acdcb ] + +In line: + upper = info->upper_dev; +We access upper_dev field, which is related only for particular events +(e.g. event == NETDEV_CHANGEUPPER). So, this line cause invalid memory +access for another events, +when ptr is not netdev_notifier_changeupper_info. + +The KASAN logs are as follows: + +[ 30.123165] BUG: KASAN: stack-out-of-bounds in prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] +[ 30.133336] Read of size 8 at addr ffff80000cf772b0 by task udevd/778 +[ 30.139866] +[ 30.141398] CPU: 0 PID: 778 Comm: udevd Not tainted 5.16.0-rc3 #6 +[ 30.147588] Hardware name: DNI AmazonGo1 A7040 board (DT) +[ 30.153056] Call trace: +[ 30.155547] dump_backtrace+0x0/0x2c0 +[ 30.159320] show_stack+0x18/0x30 +[ 30.162729] dump_stack_lvl+0x68/0x84 +[ 30.166491] print_address_description.constprop.0+0x74/0x2b8 +[ 30.172346] kasan_report+0x1e8/0x250 +[ 30.176102] __asan_load8+0x98/0xe0 +[ 30.179682] prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] +[ 30.186847] prestera_netdev_event_handler+0x1b4/0x1c0 [prestera] +[ 30.193313] raw_notifier_call_chain+0x74/0xa0 +[ 30.197860] call_netdevice_notifiers_info+0x68/0xc0 +[ 30.202924] register_netdevice+0x3cc/0x760 +[ 30.207190] register_netdev+0x24/0x50 +[ 30.211015] prestera_device_register+0x8a0/0xba0 [prestera] + +Fixes: 3d5048cc54bd ("net: marvell: prestera: move netdev topology validation to prestera_main") +Signed-off-by: Yevhen Orlov +Link: https://lore.kernel.org/r/20211216171714.11341-1-yevhen.orlov@plvision.eu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/prestera/prestera_main.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c +index f6d2f928c5b83..aa543b29799ed 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_main.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c +@@ -707,23 +707,27 @@ static int prestera_netdev_port_event(struct net_device *lower, + struct net_device *dev, + unsigned long event, void *ptr) + { +- struct netdev_notifier_changeupper_info *info = ptr; ++ struct netdev_notifier_info *info = ptr; ++ struct netdev_notifier_changeupper_info *cu_info; + struct prestera_port *port = netdev_priv(dev); + struct netlink_ext_ack *extack; + struct net_device *upper; + +- extack = netdev_notifier_info_to_extack(&info->info); +- upper = info->upper_dev; ++ extack = netdev_notifier_info_to_extack(info); ++ cu_info = container_of(info, ++ struct netdev_notifier_changeupper_info, ++ info); + + switch (event) { + case NETDEV_PRECHANGEUPPER: ++ upper = cu_info->upper_dev; + if (!netif_is_bridge_master(upper) && + !netif_is_lag_master(upper)) { + NL_SET_ERR_MSG_MOD(extack, "Unknown upper device type"); + return -EINVAL; + } + +- if (!info->linking) ++ if (!cu_info->linking) + break; + + if (netdev_has_any_upper_dev(upper)) { +@@ -732,7 +736,7 @@ static int prestera_netdev_port_event(struct net_device *lower, + } + + if (netif_is_lag_master(upper) && +- !prestera_lag_master_check(upper, info->upper_info, extack)) ++ !prestera_lag_master_check(upper, cu_info->upper_info, extack)) + return -EOPNOTSUPP; + if (netif_is_lag_master(upper) && vlan_uses_dev(dev)) { + NL_SET_ERR_MSG_MOD(extack, +@@ -748,14 +752,15 @@ static int prestera_netdev_port_event(struct net_device *lower, + break; + + case NETDEV_CHANGEUPPER: ++ upper = cu_info->upper_dev; + if (netif_is_bridge_master(upper)) { +- if (info->linking) ++ if (cu_info->linking) + return prestera_bridge_port_join(upper, port, + extack); + else + prestera_bridge_port_leave(upper, port); + } else if (netif_is_lag_master(upper)) { +- if (info->linking) ++ if (cu_info->linking) + return prestera_lag_port_add(port, upper); + else + prestera_lag_port_del(port); +-- +2.34.1 + diff --git a/queue-5.15/net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch b/queue-5.15/net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch new file mode 100644 index 00000000000..484331abfab --- /dev/null +++ b/queue-5.15/net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch @@ -0,0 +1,46 @@ +From 2c0bdb17dca4f54825a4037a2d722c088755ebee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 09:50:27 -0500 +Subject: net: skip virtio_net_hdr_set_proto if protocol already set + +From: Willem de Bruijn + +[ Upstream commit 1ed1d592113959f00cc552c3b9f47ca2d157768f ] + +virtio_net_hdr_set_proto infers skb->protocol from the virtio_net_hdr +gso_type, to avoid packets getting dropped for lack of a proto type. + +Its protocol choice is a guess, especially in the case of UFO, where +the single VIRTIO_NET_HDR_GSO_UDP label covers both UFOv4 and UFOv6. + +Skip this best effort if the field is already initialized. Whether +explicitly from userspace, or implicitly based on an earlier call to +dev_parse_header_protocol (which is more robust, but was introduced +after this patch). + +Fixes: 9d2f67e43b73 ("net/packet: fix packet drop as of virtio gso") +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20211220145027.2784293-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/virtio_net.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h +index 22dd48c825600..a960de68ac69e 100644 +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -25,6 +25,9 @@ static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_type) + static inline int virtio_net_hdr_set_proto(struct sk_buff *skb, + const struct virtio_net_hdr *hdr) + { ++ if (skb->protocol) ++ return 0; ++ + switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { + case VIRTIO_NET_HDR_GSO_TCPV4: + case VIRTIO_NET_HDR_GSO_UDP: +-- +2.34.1 + diff --git a/queue-5.15/net-stmmac-dwmac-visconti-fix-value-of-ether_clk_sel.patch b/queue-5.15/net-stmmac-dwmac-visconti-fix-value-of-ether_clk_sel.patch new file mode 100644 index 00000000000..4d6b2436a15 --- /dev/null +++ b/queue-5.15/net-stmmac-dwmac-visconti-fix-value-of-ether_clk_sel.patch @@ -0,0 +1,38 @@ +From f5bcc99db22d6e95f0d22f1154f244d2e58b9ac3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Dec 2021 16:36:33 +0900 +Subject: net: stmmac: dwmac-visconti: Fix value of ETHER_CLK_SEL_FREQ_SEL_2P5M + +From: Nobuhiro Iwamatsu + +[ Upstream commit 391e5975c0208ce3739587b33eba08be3e473d79 ] + +ETHER_CLK_SEL_FREQ_SEL_2P5M is not 0 bit of the register. This is a +value, which is 0. Fix from BIT(0) to 0. + +Reported-by: Yuji Ishikawa +Fixes: b38dd98ff8d0 ("net: stmmac: Add Toshiba Visconti SoCs glue driver") +Signed-off-by: Nobuhiro Iwamatsu +Link: https://lore.kernel.org/r/20211223073633.101306-1-nobuhiro1.iwamatsu@toshiba.co.jp +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c +index d046e33b8a297..fac788718c045 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c +@@ -26,7 +26,7 @@ + #define ETHER_CLK_SEL_FREQ_SEL_125M (BIT(9) | BIT(8)) + #define ETHER_CLK_SEL_FREQ_SEL_50M BIT(9) + #define ETHER_CLK_SEL_FREQ_SEL_25M BIT(8) +-#define ETHER_CLK_SEL_FREQ_SEL_2P5M BIT(0) ++#define ETHER_CLK_SEL_FREQ_SEL_2P5M 0 + #define ETHER_CLK_SEL_TX_CLK_EXT_SEL_IN BIT(0) + #define ETHER_CLK_SEL_TX_CLK_EXT_SEL_TXC BIT(10) + #define ETHER_CLK_SEL_TX_CLK_EXT_SEL_DIV BIT(11) +-- +2.34.1 + diff --git a/queue-5.15/net-stmmac-ptp-fix-potentially-overflowing-expressio.patch b/queue-5.15/net-stmmac-ptp-fix-potentially-overflowing-expressio.patch new file mode 100644 index 00000000000..abe92ca08cd --- /dev/null +++ b/queue-5.15/net-stmmac-ptp-fix-potentially-overflowing-expressio.patch @@ -0,0 +1,37 @@ +From 30b94efb40cdc743daa968e0440456d6fab195fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Dec 2021 15:39:28 +0800 +Subject: net: stmmac: ptp: fix potentially overflowing expression + +From: Xiaoliang Yang + +[ Upstream commit eccffcf4657ab9a148faaa0eb354d2a091caf552 ] + +Convert the u32 variable to type u64 in a context where expression of +type u64 is required to avoid potential overflow. + +Fixes: e9e3720002f6 ("net: stmmac: ptp: update tas basetime after ptp adjust") +Signed-off-by: Xiaoliang Yang +Link: https://lore.kernel.org/r/20211223073928.37371-1-xiaoliang.yang_1@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +index 580cc035536bd..be9b58b2abf9b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +@@ -102,7 +102,7 @@ static int stmmac_adjust_time(struct ptp_clock_info *ptp, s64 delta) + time.tv_nsec = priv->plat->est->btr_reserve[0]; + time.tv_sec = priv->plat->est->btr_reserve[1]; + basetime = timespec64_to_ktime(time); +- cycle_time = priv->plat->est->ctr[1] * NSEC_PER_SEC + ++ cycle_time = (u64)priv->plat->est->ctr[1] * NSEC_PER_SEC + + priv->plat->est->ctr[0]; + time = stmmac_calc_tas_basetime(basetime, + current_time_ns, +-- +2.34.1 + diff --git a/queue-5.15/netfilter-fix-regression-in-looped-broad-multi-cast-.patch b/queue-5.15/netfilter-fix-regression-in-looped-broad-multi-cast-.patch new file mode 100644 index 00000000000..e195afd0bfb --- /dev/null +++ b/queue-5.15/netfilter-fix-regression-in-looped-broad-multi-cast-.patch @@ -0,0 +1,69 @@ +From 4905673e153fbb82848ae007db223b5c15594029 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 16:31:27 +0100 +Subject: netfilter: fix regression in looped (broad|multi)cast's MAC handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ignacy Gawędzki + +[ Upstream commit ebb966d3bdfed581ecccbb4a7432341baf7619b4 ] + +In commit 5648b5e1169f ("netfilter: nfnetlink_queue: fix OOB when mac +header was cleared"), the test for non-empty MAC header introduced in +commit 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC +handling") has been replaced with a test for a set MAC header. + +This breaks the case when the MAC header has been reset (using +skb_reset_mac_header), as is the case with looped-back multicast +packets. As a result, the packets ending up in NFQUEUE get a bogus +hwaddr interpreted from the first bytes of the IP header. + +This patch adds a test for a non-empty MAC header in addition to the +test for a set MAC header. The same two tests are also implemented in +nfnetlink_log.c, where the initial code of commit 2c38de4c1f8da7 +("netfilter: fix looped (broad|multi)cast's MAC handling") has not been +touched, but where supposedly the same situation may happen. + +Fixes: 5648b5e1169f ("netfilter: nfnetlink_queue: fix OOB when mac header was cleared") +Signed-off-by: Ignacy Gawędzki +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_log.c | 3 ++- + net/netfilter/nfnetlink_queue.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index 691ef4cffdd90..7f83f9697fc14 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -556,7 +556,8 @@ __build_packet_message(struct nfnl_log_net *log, + goto nla_put_failure; + + if (indev && skb->dev && +- skb->mac_header != skb->network_header) { ++ skb_mac_header_was_set(skb) && ++ skb_mac_header_len(skb) != 0) { + struct nfulnl_msg_packet_hw phw; + int len; + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 4acc4b8e9fe5a..959527708e382 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -560,7 +560,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, + goto nla_put_failure; + + if (indev && entskb->dev && +- skb_mac_header_was_set(entskb)) { ++ skb_mac_header_was_set(entskb) && ++ skb_mac_header_len(entskb) != 0) { + struct nfqnl_msg_packet_hw phw; + int len; + +-- +2.34.1 + diff --git a/queue-5.15/netfilter-nf_tables-fix-use-after-free-in-nft_set_ca.patch b/queue-5.15/netfilter-nf_tables-fix-use-after-free-in-nft_set_ca.patch new file mode 100644 index 00000000000..280b9b6664c --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-fix-use-after-free-in-nft_set_ca.patch @@ -0,0 +1,241 @@ +From 95569bb1f24520a4b5ba1df27c9f940d5344dca4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Dec 2021 05:45:44 -0800 +Subject: netfilter: nf_tables: fix use-after-free in + nft_set_catchall_destroy() + +From: Eric Dumazet + +[ Upstream commit 0f7d9b31ce7abdbb29bf018131ac920c9f698518 ] + +We need to use list_for_each_entry_safe() iterator +because we can not access @catchall after kfree_rcu() call. + +syzbot reported: + +BUG: KASAN: use-after-free in nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline] +BUG: KASAN: use-after-free in nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline] +BUG: KASAN: use-after-free in nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493 +Read of size 8 at addr ffff8880716e5b80 by task syz-executor.3/8871 + +CPU: 1 PID: 8871 Comm: syz-executor.3 Not tainted 5.16.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0x8d/0x2ed mm/kasan/report.c:247 + __kasan_report mm/kasan/report.c:433 [inline] + kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 + nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline] + nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline] + nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493 + __nft_release_table+0x79f/0xcd0 net/netfilter/nf_tables_api.c:9626 + nft_rcv_nl_event+0x4f8/0x670 net/netfilter/nf_tables_api.c:9688 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 + blocking_notifier_call_chain kernel/notifier.c:318 [inline] + blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306 + netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink.c:788 + __sock_release+0xcd/0x280 net/socket.c:649 + sock_close+0x18/0x20 net/socket.c:1314 + __fput+0x286/0x9f0 fs/file_table.c:280 + task_work_run+0xdd/0x1a0 kernel/task_work.c:164 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:175 [inline] + exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 + __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] + syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 + do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f75fbf28adb +Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 +RSP: 002b:00007ffd8da7ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 +RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f75fbf28adb +RDX: 00007f75fc08e828 RSI: ffffffffffffffff RDI: 0000000000000003 +RBP: 00007f75fc08a960 R08: 0000000000000000 R09: 00007f75fc08e830 +R10: 00007ffd8da7ed10 R11: 0000000000000293 R12: 00000000002067c3 +R13: 00007ffd8da7ed10 R14: 00007f75fc088f60 R15: 0000000000000032 + + +Allocated by task 8886: + kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:46 [inline] + set_alloc_info mm/kasan/common.c:434 [inline] + ____kasan_kmalloc mm/kasan/common.c:513 [inline] + ____kasan_kmalloc mm/kasan/common.c:472 [inline] + __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:522 + kasan_kmalloc include/linux/kasan.h:269 [inline] + kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3575 + kmalloc include/linux/slab.h:590 [inline] + nft_setelem_catchall_insert net/netfilter/nf_tables_api.c:5544 [inline] + nft_setelem_insert net/netfilter/nf_tables_api.c:5562 [inline] + nft_add_set_elem+0x232e/0x2f40 net/netfilter/nf_tables_api.c:5936 + nf_tables_newsetelem+0x6ff/0xbb0 net/netfilter/nf_tables_api.c:6032 + nfnetlink_rcv_batch+0x1710/0x25f0 net/netfilter/nfnetlink.c:513 + nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] + nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:652 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:724 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Freed by task 15335: + kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 + kasan_set_track+0x21/0x30 mm/kasan/common.c:46 + kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 + ____kasan_slab_free mm/kasan/common.c:366 [inline] + ____kasan_slab_free mm/kasan/common.c:328 [inline] + __kasan_slab_free+0xd1/0x110 mm/kasan/common.c:374 + kasan_slab_free include/linux/kasan.h:235 [inline] + __cache_free mm/slab.c:3445 [inline] + kmem_cache_free_bulk+0x67/0x1e0 mm/slab.c:3766 + kfree_bulk include/linux/slab.h:446 [inline] + kfree_rcu_work+0x51c/0xa10 kernel/rcu/tree.c:3273 + process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 + worker_thread+0x658/0x11f0 kernel/workqueue.c:2445 + kthread+0x405/0x4f0 kernel/kthread.c:327 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 + +Last potentially related work creation: + kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 + __kasan_record_aux_stack+0xb5/0xe0 mm/kasan/generic.c:348 + kvfree_call_rcu+0x74/0x990 kernel/rcu/tree.c:3550 + nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4489 [inline] + nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline] + nft_set_destroy+0x34a/0x4f0 net/netfilter/nf_tables_api.c:4493 + __nft_release_table+0x79f/0xcd0 net/netfilter/nf_tables_api.c:9626 + nft_rcv_nl_event+0x4f8/0x670 net/netfilter/nf_tables_api.c:9688 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 + blocking_notifier_call_chain kernel/notifier.c:318 [inline] + blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306 + netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink.c:788 + __sock_release+0xcd/0x280 net/socket.c:649 + sock_close+0x18/0x20 net/socket.c:1314 + __fput+0x286/0x9f0 fs/file_table.c:280 + task_work_run+0xdd/0x1a0 kernel/task_work.c:164 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:175 [inline] + exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 + __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] + syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 + do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The buggy address belongs to the object at ffff8880716e5b80 + which belongs to the cache kmalloc-64 of size 64 +The buggy address is located 0 bytes inside of + 64-byte region [ffff8880716e5b80, ffff8880716e5bc0) +The buggy address belongs to the page: +page:ffffea0001c5b940 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880716e5c00 pfn:0x716e5 +flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) +raw: 00fff00000000200 ffffea0000911848 ffffea00007c4d48 ffff888010c40200 +raw: ffff8880716e5c00 ffff8880716e5000 000000010000001e 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x242040(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 3638, ts 211086074437, free_ts 211031029429 + prep_new_page mm/page_alloc.c:2418 [inline] + get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149 + __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369 + __alloc_pages_node include/linux/gfp.h:570 [inline] + kmem_getpages mm/slab.c:1377 [inline] + cache_grow_begin+0x75/0x470 mm/slab.c:2593 + cache_alloc_refill+0x27f/0x380 mm/slab.c:2965 + ____cache_alloc mm/slab.c:3048 [inline] + ____cache_alloc mm/slab.c:3031 [inline] + __do_cache_alloc mm/slab.c:3275 [inline] + slab_alloc mm/slab.c:3316 [inline] + __do_kmalloc mm/slab.c:3700 [inline] + __kmalloc+0x3b3/0x4d0 mm/slab.c:3711 + kmalloc include/linux/slab.h:595 [inline] + kzalloc include/linux/slab.h:724 [inline] + tomoyo_get_name+0x234/0x480 security/tomoyo/memory.c:173 + tomoyo_parse_name_union+0xbc/0x160 security/tomoyo/util.c:260 + tomoyo_update_path_number_acl security/tomoyo/file.c:687 [inline] + tomoyo_write_file+0x629/0x7f0 security/tomoyo/file.c:1034 + tomoyo_write_domain2+0x116/0x1d0 security/tomoyo/common.c:1152 + tomoyo_add_entry security/tomoyo/common.c:2042 [inline] + tomoyo_supervisor+0xbc7/0xf00 security/tomoyo/common.c:2103 + tomoyo_audit_path_number_log security/tomoyo/file.c:235 [inline] + tomoyo_path_number_perm+0x419/0x590 security/tomoyo/file.c:734 + security_file_ioctl+0x50/0xb0 security/security.c:1541 + __do_sys_ioctl fs/ioctl.c:868 [inline] + __se_sys_ioctl fs/ioctl.c:860 [inline] + __x64_sys_ioctl+0xb3/0x200 fs/ioctl.c:860 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +page last free stack trace: + reset_page_owner include/linux/page_owner.h:24 [inline] + free_pages_prepare mm/page_alloc.c:1338 [inline] + free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389 + free_unref_page_prepare mm/page_alloc.c:3309 [inline] + free_unref_page+0x19/0x690 mm/page_alloc.c:3388 + slab_destroy mm/slab.c:1627 [inline] + slabs_destroy+0x89/0xc0 mm/slab.c:1647 + cache_flusharray mm/slab.c:3418 [inline] + ___cache_free+0x4cc/0x610 mm/slab.c:3480 + qlink_free mm/kasan/quarantine.c:146 [inline] + qlist_free_all+0x4e/0x110 mm/kasan/quarantine.c:165 + kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272 + __kasan_slab_alloc+0x97/0xb0 mm/kasan/common.c:444 + kasan_slab_alloc include/linux/kasan.h:259 [inline] + slab_post_alloc_hook mm/slab.h:519 [inline] + slab_alloc_node mm/slab.c:3261 [inline] + kmem_cache_alloc_node+0x2ea/0x590 mm/slab.c:3599 + __alloc_skb+0x215/0x340 net/core/skbuff.c:414 + alloc_skb include/linux/skbuff.h:1126 [inline] + nlmsg_new include/net/netlink.h:953 [inline] + rtmsg_ifinfo_build_skb+0x72/0x1a0 net/core/rtnetlink.c:3808 + rtmsg_ifinfo_event net/core/rtnetlink.c:3844 [inline] + rtmsg_ifinfo_event net/core/rtnetlink.c:3835 [inline] + rtmsg_ifinfo+0x83/0x120 net/core/rtnetlink.c:3853 + netdev_state_change net/core/dev.c:1395 [inline] + netdev_state_change+0x114/0x130 net/core/dev.c:1386 + linkwatch_do_dev+0x10e/0x150 net/core/link_watch.c:167 + __linkwatch_run_queue+0x233/0x6a0 net/core/link_watch.c:213 + linkwatch_event+0x4a/0x60 net/core/link_watch.c:252 + process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 + +Memory state around the buggy address: + ffff8880716e5a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff8880716e5b00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc +>ffff8880716e5b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ^ + ffff8880716e5c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff8880716e5c80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + +Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c0851fec11d46..c207728226372 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4481,9 +4481,9 @@ struct nft_set_elem_catchall { + static void nft_set_catchall_destroy(const struct nft_ctx *ctx, + struct nft_set *set) + { +- struct nft_set_elem_catchall *catchall; ++ struct nft_set_elem_catchall *next, *catchall; + +- list_for_each_entry_rcu(catchall, &set->catchall_list, list) { ++ list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { + list_del_rcu(&catchall->list); + nft_set_elem_destroy(set, catchall->elem, true); + kfree_rcu(catchall); +-- +2.34.1 + diff --git a/queue-5.15/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch b/queue-5.15/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch new file mode 100644 index 00000000000..3068820cb73 --- /dev/null +++ b/queue-5.15/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch @@ -0,0 +1,103 @@ +From 81fcacf5fb456a5da9b451521dc98d8dcd31a0b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 17:39:11 +0800 +Subject: qlcnic: potential dereference null pointer of rx_queue->page_ring + +From: Jiasheng Jiang + +[ Upstream commit 60ec7fcfe76892a1479afab51ff17a4281923156 ] + +The return value of kcalloc() needs to be checked. +To avoid dereference of null pointer in case of the failure of alloc. +Therefore, it might be better to change the return type of +qlcnic_sriov_alloc_vlans() and return -ENOMEM when alloc fails and +return 0 the others. +Also, qlcnic_sriov_set_guest_vlan_mode() and __qlcnic_pci_sriov_enable() +should deal with the return value of qlcnic_sriov_alloc_vlans(). + +Fixes: 154d0c810c53 ("qlcnic: VLAN enhancement for 84XX adapters") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h | 2 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 12 +++++++++--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c | 4 +++- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h +index 7160b42f51ddd..d0111cb3b40e1 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h +@@ -201,7 +201,7 @@ int qlcnic_sriov_get_vf_vport_info(struct qlcnic_adapter *, + struct qlcnic_info *, u16); + int qlcnic_sriov_cfg_vf_guest_vlan(struct qlcnic_adapter *, u16, u8); + void qlcnic_sriov_free_vlans(struct qlcnic_adapter *); +-void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *); ++int qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *); + bool qlcnic_sriov_check_any_vlan(struct qlcnic_vf_info *); + void qlcnic_sriov_del_vlan_id(struct qlcnic_sriov *, + struct qlcnic_vf_info *, u16); +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +index dd03be3fc82a9..42a44c97572ae 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -432,7 +432,7 @@ static int qlcnic_sriov_set_guest_vlan_mode(struct qlcnic_adapter *adapter, + struct qlcnic_cmd_args *cmd) + { + struct qlcnic_sriov *sriov = adapter->ahw->sriov; +- int i, num_vlans; ++ int i, num_vlans, ret; + u16 *vlans; + + if (sriov->allowed_vlans) +@@ -443,7 +443,9 @@ static int qlcnic_sriov_set_guest_vlan_mode(struct qlcnic_adapter *adapter, + dev_info(&adapter->pdev->dev, "Number of allowed Guest VLANs = %d\n", + sriov->num_allowed_vlans); + +- qlcnic_sriov_alloc_vlans(adapter); ++ ret = qlcnic_sriov_alloc_vlans(adapter); ++ if (ret) ++ return ret; + + if (!sriov->any_vlan) + return 0; +@@ -2154,7 +2156,7 @@ static int qlcnic_sriov_vf_resume(struct qlcnic_adapter *adapter) + return err; + } + +-void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter) ++int qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter) + { + struct qlcnic_sriov *sriov = adapter->ahw->sriov; + struct qlcnic_vf_info *vf; +@@ -2164,7 +2166,11 @@ void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter) + vf = &sriov->vf_info[i]; + vf->sriov_vlans = kcalloc(sriov->num_allowed_vlans, + sizeof(*vf->sriov_vlans), GFP_KERNEL); ++ if (!vf->sriov_vlans) ++ return -ENOMEM; + } ++ ++ return 0; + } + + void qlcnic_sriov_free_vlans(struct qlcnic_adapter *adapter) +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c +index 447720b93e5ab..e90fa97c0ae6c 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c +@@ -597,7 +597,9 @@ static int __qlcnic_pci_sriov_enable(struct qlcnic_adapter *adapter, + if (err) + goto del_flr_queue; + +- qlcnic_sriov_alloc_vlans(adapter); ++ err = qlcnic_sriov_alloc_vlans(adapter); ++ if (err) ++ goto del_flr_queue; + + return err; + +-- +2.34.1 + diff --git a/queue-5.15/r8152-fix-the-force-speed-doesn-t-work-for-rtl8156.patch b/queue-5.15/r8152-fix-the-force-speed-doesn-t-work-for-rtl8156.patch new file mode 100644 index 00000000000..d31acfd1023 --- /dev/null +++ b/queue-5.15/r8152-fix-the-force-speed-doesn-t-work-for-rtl8156.patch @@ -0,0 +1,65 @@ +From f7c3daa159d22984a5cf366bbb841698fe5de290 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Dec 2021 17:27:01 +0800 +Subject: r8152: fix the force speed doesn't work for RTL8156 + +From: Hayes Wang + +[ Upstream commit 45bf944e6703d43fe5e285808312acd8a34c1a24 ] + +It needs to set mdio force mode. Otherwise, link off always occurs when +setting force speed. + +Fixes: 195aae321c82 ("r8152: support new chips") +Signed-off-by: Hayes Wang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index d3da350777a4d..3364e54c177ff 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -6584,6 +6584,21 @@ static bool rtl8153_in_nway(struct r8152 *tp) + return true; + } + ++static void r8156_mdio_force_mode(struct r8152 *tp) ++{ ++ u16 data; ++ ++ /* Select force mode through 0xa5b4 bit 15 ++ * 0: MDIO force mode ++ * 1: MMD force mode ++ */ ++ data = ocp_reg_read(tp, 0xa5b4); ++ if (data & BIT(15)) { ++ data &= ~BIT(15); ++ ocp_reg_write(tp, 0xa5b4, data); ++ } ++} ++ + static void set_carrier(struct r8152 *tp) + { + struct net_device *netdev = tp->netdev; +@@ -8016,6 +8031,7 @@ static void r8156_init(struct r8152 *tp) + ocp_data |= ACT_ODMA; + ocp_write_byte(tp, MCU_TYPE_USB, USB_BMU_CONFIG, ocp_data); + ++ r8156_mdio_force_mode(tp); + rtl_tally_reset(tp); + + tp->coalesce = 15000; /* 15 us */ +@@ -8145,6 +8161,7 @@ static void r8156b_init(struct r8152 *tp) + ocp_data &= ~(RX_AGG_DISABLE | RX_ZERO_EN); + ocp_write_word(tp, MCU_TYPE_USB, USB_USB_CTRL, ocp_data); + ++ r8156_mdio_force_mode(tp); + rtl_tally_reset(tp); + + tp->coalesce = 15000; /* 15 us */ +-- +2.34.1 + diff --git a/queue-5.15/rdma-hns-fix-rnr-retransmission-issue-for-hip08.patch b/queue-5.15/rdma-hns-fix-rnr-retransmission-issue-for-hip08.patch new file mode 100644 index 00000000000..33c5461752e --- /dev/null +++ b/queue-5.15/rdma-hns-fix-rnr-retransmission-issue-for-hip08.patch @@ -0,0 +1,198 @@ +From 0206da4cc6f540ba8bb0d3042695818f666ffe72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 22:06:55 +0800 +Subject: RDMA/hns: Fix RNR retransmission issue for HIP08 + +From: Yangyang Li + +[ Upstream commit 4ad8181426df92976feee5fbc55236293d069b37 ] + +Due to the discrete nature of the HIP08 timer unit, a requester might +finish the timeout period sooner, in elapsed real time, than its responder +does, even when both sides share the identical RNR timeout length included +in the RNR Nak packet and the responder indeed starts the timing prior to +the requester. Furthermore, if a 'providential' resend packet arrived +before the responder's timeout period expired, the responder is certainly +entitled to drop the packet silently in the light of IB protocol. + +To address this problem, our team made good use of certain hardware facts: + +1) The timing resolution regards the transmission arrangements is 1 + microsecond, e.g. if cq_period field is set to 3, it would be + interpreted as 3 microsecond by hardware + +2) A QPC field shall inform the hardware how many timing unit (ticks) + constitutes a full microsecond, which, by default, is 1000 + +3) It takes 14ns for the processor to handle a packet in the buffer, so + the RNR timeout length of 10ns would ensure our processing mechanism is + disabled during the entire timeout period and the packet won't be + dropped silently + +To achieve (3), we permanently set the QPC field mentioned in (2) to zero +which nominally indicates every time tick is equivalent to a microsecond +in wall-clock time; now, a RNR timeout period at face value of 10 would +only last 10 ticks, which is 10ns in wall-clock time. + +It's worth noting that we adapt the driver by magnifying certain +configuration parameters(cq_period, eq_period and ack_timeout)by 1000 +given the user assumes the configuring timing unit to be microseconds. + +Also, this particular improvisation is only deployed on HIP08 since other +hardware has already solved this issue. + +Fixes: cfc85f3e4b7f ("RDMA/hns: Add profile support for hip08 driver") +Link: https://lore.kernel.org/r/20211209140655.49493-1-liangwenpeng@huawei.com +Signed-off-by: Yangyang Li +Signed-off-by: Wenpeng Liang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 64 +++++++++++++++++++--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 8 +++ + 2 files changed, 65 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 51dd134952e77..96fe73ba689c1 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -1604,11 +1604,17 @@ static int hns_roce_config_global_param(struct hns_roce_dev *hr_dev) + { + struct hns_roce_cmq_desc desc; + struct hns_roce_cmq_req *req = (struct hns_roce_cmq_req *)desc.data; ++ u32 clock_cycles_of_1us; + + hns_roce_cmq_setup_basic_desc(&desc, HNS_ROCE_OPC_CFG_GLOBAL_PARAM, + false); + +- hr_reg_write(req, CFG_GLOBAL_PARAM_1US_CYCLES, 0x3e8); ++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) ++ clock_cycles_of_1us = HNS_ROCE_1NS_CFG; ++ else ++ clock_cycles_of_1us = HNS_ROCE_1US_CFG; ++ ++ hr_reg_write(req, CFG_GLOBAL_PARAM_1US_CYCLES, clock_cycles_of_1us); + hr_reg_write(req, CFG_GLOBAL_PARAM_UDP_PORT, ROCE_V2_UDP_DPORT); + + return hns_roce_cmq_send(hr_dev, &desc, 1); +@@ -4812,6 +4818,30 @@ static int hns_roce_v2_set_abs_fields(struct ib_qp *ibqp, + return ret; + } + ++static bool check_qp_timeout_cfg_range(struct hns_roce_dev *hr_dev, u8 *timeout) ++{ ++#define QP_ACK_TIMEOUT_MAX_HIP08 20 ++#define QP_ACK_TIMEOUT_OFFSET 10 ++#define QP_ACK_TIMEOUT_MAX 31 ++ ++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) { ++ if (*timeout > QP_ACK_TIMEOUT_MAX_HIP08) { ++ ibdev_warn(&hr_dev->ib_dev, ++ "Local ACK timeout shall be 0 to 20.\n"); ++ return false; ++ } ++ *timeout += QP_ACK_TIMEOUT_OFFSET; ++ } else if (hr_dev->pci_dev->revision > PCI_REVISION_ID_HIP08) { ++ if (*timeout > QP_ACK_TIMEOUT_MAX) { ++ ibdev_warn(&hr_dev->ib_dev, ++ "Local ACK timeout shall be 0 to 31.\n"); ++ return false; ++ } ++ } ++ ++ return true; ++} ++ + static int hns_roce_v2_set_opt_fields(struct ib_qp *ibqp, + const struct ib_qp_attr *attr, + int attr_mask, +@@ -4821,6 +4851,7 @@ static int hns_roce_v2_set_opt_fields(struct ib_qp *ibqp, + struct hns_roce_dev *hr_dev = to_hr_dev(ibqp->device); + struct hns_roce_qp *hr_qp = to_hr_qp(ibqp); + int ret = 0; ++ u8 timeout; + + if (attr_mask & IB_QP_AV) { + ret = hns_roce_v2_set_path(ibqp, attr, attr_mask, context, +@@ -4830,12 +4861,10 @@ static int hns_roce_v2_set_opt_fields(struct ib_qp *ibqp, + } + + if (attr_mask & IB_QP_TIMEOUT) { +- if (attr->timeout < 31) { +- hr_reg_write(context, QPC_AT, attr->timeout); ++ timeout = attr->timeout; ++ if (check_qp_timeout_cfg_range(hr_dev, &timeout)) { ++ hr_reg_write(context, QPC_AT, timeout); + hr_reg_clear(qpc_mask, QPC_AT); +- } else { +- ibdev_warn(&hr_dev->ib_dev, +- "Local ACK timeout shall be 0 to 30.\n"); + } + } + +@@ -4892,7 +4921,9 @@ static int hns_roce_v2_set_opt_fields(struct ib_qp *ibqp, + set_access_flags(hr_qp, context, qpc_mask, attr, attr_mask); + + if (attr_mask & IB_QP_MIN_RNR_TIMER) { +- hr_reg_write(context, QPC_MIN_RNR_TIME, attr->min_rnr_timer); ++ hr_reg_write(context, QPC_MIN_RNR_TIME, ++ hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08 ? ++ HNS_ROCE_RNR_TIMER_10NS : attr->min_rnr_timer); + hr_reg_clear(qpc_mask, QPC_MIN_RNR_TIME); + } + +@@ -5509,6 +5540,16 @@ static int hns_roce_v2_modify_cq(struct ib_cq *cq, u16 cq_count, u16 cq_period) + + hr_reg_write(cq_context, CQC_CQ_MAX_CNT, cq_count); + hr_reg_clear(cqc_mask, CQC_CQ_MAX_CNT); ++ ++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) { ++ if (cq_period * HNS_ROCE_CLOCK_ADJUST > USHRT_MAX) { ++ dev_info(hr_dev->dev, ++ "cq_period(%u) reached the upper limit, adjusted to 65.\n", ++ cq_period); ++ cq_period = HNS_ROCE_MAX_CQ_PERIOD; ++ } ++ cq_period *= HNS_ROCE_CLOCK_ADJUST; ++ } + hr_reg_write(cq_context, CQC_CQ_PERIOD, cq_period); + hr_reg_clear(cqc_mask, CQC_CQ_PERIOD); + +@@ -5904,6 +5945,15 @@ static int config_eqc(struct hns_roce_dev *hr_dev, struct hns_roce_eq *eq, + hr_reg_write(eqc, EQC_EQ_PROD_INDX, HNS_ROCE_EQ_INIT_PROD_IDX); + hr_reg_write(eqc, EQC_EQ_MAX_CNT, eq->eq_max_cnt); + ++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) { ++ if (eq->eq_period * HNS_ROCE_CLOCK_ADJUST > USHRT_MAX) { ++ dev_info(hr_dev->dev, "eq_period(%u) reached the upper limit, adjusted to 65.\n", ++ eq->eq_period); ++ eq->eq_period = HNS_ROCE_MAX_EQ_PERIOD; ++ } ++ eq->eq_period *= HNS_ROCE_CLOCK_ADJUST; ++ } ++ + hr_reg_write(eqc, EQC_EQ_PERIOD, eq->eq_period); + hr_reg_write(eqc, EQC_EQE_REPORT_TIMER, HNS_ROCE_EQ_INIT_REPORT_TIMER); + hr_reg_write(eqc, EQC_EQE_BA_L, bt_ba >> 3); +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index 4d904d5e82be4..35c61da7ba156 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -1444,6 +1444,14 @@ struct hns_roce_dip { + struct list_head node; /* all dips are on a list */ + }; + ++/* only for RNR timeout issue of HIP08 */ ++#define HNS_ROCE_CLOCK_ADJUST 1000 ++#define HNS_ROCE_MAX_CQ_PERIOD 65 ++#define HNS_ROCE_MAX_EQ_PERIOD 65 ++#define HNS_ROCE_RNR_TIMER_10NS 1 ++#define HNS_ROCE_1US_CFG 999 ++#define HNS_ROCE_1NS_CFG 0 ++ + #define HNS_ROCE_AEQ_DEFAULT_BURST_NUM 0x0 + #define HNS_ROCE_AEQ_DEFAULT_INTERVAL 0x0 + #define HNS_ROCE_CEQ_DEFAULT_BURST_NUM 0x0 +-- +2.34.1 + diff --git a/queue-5.15/rdma-hns-replace-kfree-with-kvfree.patch b/queue-5.15/rdma-hns-replace-kfree-with-kvfree.patch new file mode 100644 index 00000000000..062d0566ec7 --- /dev/null +++ b/queue-5.15/rdma-hns-replace-kfree-with-kvfree.patch @@ -0,0 +1,39 @@ +From 108ac57dcbbdd1dd953ff6b442fff1986749f251 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 01:42:34 -0800 +Subject: RDMA/hns: Replace kfree() with kvfree() + +From: Jiacheng Shi + +[ Upstream commit 12d3bbdd6bd2780b71cc466f3fbc6eb7d43bbc2a ] + +Variables allocated by kvmalloc_array() should not be freed by kfree. +Because they may be allocated by vmalloc. So we replace kfree() with +kvfree() here. + +Fixes: 6fd610c5733d ("RDMA/hns: Support 0 hop addressing for SRQ buffer") +Link: https://lore.kernel.org/r/20211210094234.5829-1-billsjc@sjtu.edu.cn +Signed-off-by: Jiacheng Shi +Acked-by: Wenpeng Liang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c +index 6eee9deadd122..e64ef6903fb4f 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_srq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c +@@ -259,7 +259,7 @@ static int alloc_srq_wrid(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq) + + static void free_srq_wrid(struct hns_roce_srq *srq) + { +- kfree(srq->wrid); ++ kvfree(srq->wrid); + srq->wrid = NULL; + } + +-- +2.34.1 + diff --git a/queue-5.15/series b/queue-5.15/series index 1a0882ddafb..dd8e95fd7d5 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -8,3 +8,43 @@ hid-holtek-fix-mouse-probing.patch hid-potential-dereference-of-null-pointer.patch nfsd-fix-readdir-buffer-overflow.patch pm-sleep-fix-error-handling-in-dpm_prepare.patch +arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch +bus-sunxi-rsb-fix-shutdown.patch +spi-change-clk_disable_unprepare-to-clk_unprepare.patch +ucounts-fix-rlimit-max-values-check.patch +drm-mediatek-hdmi-perform-null-pointer-check-for-mtk.patch +asoc-meson-aiu-fifo-add-missing-dma_coerce_mask_and_.patch +rdma-hns-fix-rnr-retransmission-issue-for-hip08.patch +ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch +rdma-hns-replace-kfree-with-kvfree.patch +netfilter-nf_tables-fix-use-after-free-in-nft_set_ca.patch +netfilter-fix-regression-in-looped-broad-multi-cast-.patch +arm-dts-imx6qdl-wandboard-fix-ethernet-support.patch +ice-use-xdp_buf-instead-of-rx_buf-for-xsk-zero-copy.patch +ice-xsk-return-xsk-buffers-back-to-pool-when-cleanin.patch +net-marvell-prestera-fix-incorrect-return-of-port_fi.patch +net-marvell-prestera-fix-incorrect-structure-access.patch +qlcnic-potential-dereference-null-pointer-of-rx_queu.patch +tcp-move-inet-rx_dst_ifindex-to-sk-sk_rx_dst_ifindex.patch +ipv6-move-inet6_sk-sk-rx_dst_cookie-to-sk-sk_rx_dst_.patch +inet-fully-convert-sk-sk_rx_dst-to-rcu-rules.patch +net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch +net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch +igb-fix-deadlock-caused-by-taking-rtnl-in-rpm-resume.patch +ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch +gpio-virtio-remove-timeout.patch +bonding-fix-ad_actor_system-option-setting-to-defaul.patch +fjes-check-for-error-irq.patch +drivers-net-smc911x-check-for-error-irq.patch +net-ks8851-check-for-error-irq.patch +sfc-check-null-pointer-of-rx_queue-page_ring.patch +sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch +asix-fix-uninit-value-in-asix_mdio_read.patch +asix-fix-wrong-return-value-in-asix_check_host_enabl.patch +io_uring-zero-iocb-ki_pos-for-stream-file-types.patch +veth-ensure-skb-entering-gro-are-not-cloned.patch +net-stmmac-ptp-fix-potentially-overflowing-expressio.patch +net-bridge-use-array_size-helper-in-copy_to_user.patch +net-bridge-fix-ioctl-old_deviceless-bridge-argument.patch +r8152-fix-the-force-speed-doesn-t-work-for-rtl8156.patch +net-stmmac-dwmac-visconti-fix-value-of-ether_clk_sel.patch diff --git a/queue-5.15/sfc-check-null-pointer-of-rx_queue-page_ring.patch b/queue-5.15/sfc-check-null-pointer-of-rx_queue-page_ring.patch new file mode 100644 index 00000000000..638416f22c5 --- /dev/null +++ b/queue-5.15/sfc-check-null-pointer-of-rx_queue-page_ring.patch @@ -0,0 +1,42 @@ +From 91e28b3c2e54560582c59471c84dfc698d27ca1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 21:56:03 +0800 +Subject: sfc: Check null pointer of rx_queue->page_ring + +From: Jiasheng Jiang + +[ Upstream commit bdf1b5c3884f6a0dc91b0dbdb8c3b7d205f449e0 ] + +Because of the possible failure of the kcalloc, it should be better to +set rx_queue->page_ptr_mask to 0 when it happens in order to maintain +the consistency. + +Fixes: 5a6681e22c14 ("sfc: separate out SFC4000 ("Falcon") support into new sfc-falcon driver") +Signed-off-by: Jiasheng Jiang +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20211220135603.954944-1-jiasheng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/rx_common.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/rx_common.c b/drivers/net/ethernet/sfc/rx_common.c +index 68fc7d317693b..0983abc0cc5f0 100644 +--- a/drivers/net/ethernet/sfc/rx_common.c ++++ b/drivers/net/ethernet/sfc/rx_common.c +@@ -150,7 +150,10 @@ static void efx_init_rx_recycle_ring(struct efx_rx_queue *rx_queue) + efx->rx_bufs_per_page); + rx_queue->page_ring = kcalloc(page_ring_size, + sizeof(*rx_queue->page_ring), GFP_KERNEL); +- rx_queue->page_ptr_mask = page_ring_size - 1; ++ if (!rx_queue->page_ring) ++ rx_queue->page_ptr_mask = 0; ++ else ++ rx_queue->page_ptr_mask = page_ring_size - 1; + } + + static void efx_fini_rx_recycle_ring(struct efx_rx_queue *rx_queue) +-- +2.34.1 + diff --git a/queue-5.15/sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch b/queue-5.15/sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch new file mode 100644 index 00000000000..b0df577b194 --- /dev/null +++ b/queue-5.15/sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch @@ -0,0 +1,42 @@ +From c5b4fa116b97a36a7f18515d7491417aa0084372 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 22:03:44 +0800 +Subject: sfc: falcon: Check null pointer of rx_queue->page_ring + +From: Jiasheng Jiang + +[ Upstream commit 9b8bdd1eb5890aeeab7391dddcf8bd51f7b07216 ] + +Because of the possible failure of the kcalloc, it should be better to +set rx_queue->page_ptr_mask to 0 when it happens in order to maintain +the consistency. + +Fixes: 5a6681e22c14 ("sfc: separate out SFC4000 ("Falcon") support into new sfc-falcon driver") +Signed-off-by: Jiasheng Jiang +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20211220140344.978408-1-jiasheng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/falcon/rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/falcon/rx.c b/drivers/net/ethernet/sfc/falcon/rx.c +index 966f13e7475dd..11a6aee852e92 100644 +--- a/drivers/net/ethernet/sfc/falcon/rx.c ++++ b/drivers/net/ethernet/sfc/falcon/rx.c +@@ -728,7 +728,10 @@ static void ef4_init_rx_recycle_ring(struct ef4_nic *efx, + efx->rx_bufs_per_page); + rx_queue->page_ring = kcalloc(page_ring_size, + sizeof(*rx_queue->page_ring), GFP_KERNEL); +- rx_queue->page_ptr_mask = page_ring_size - 1; ++ if (!rx_queue->page_ring) ++ rx_queue->page_ptr_mask = 0; ++ else ++ rx_queue->page_ptr_mask = page_ring_size - 1; + } + + void ef4_init_rx_queue(struct ef4_rx_queue *rx_queue) +-- +2.34.1 + diff --git a/queue-5.15/spi-change-clk_disable_unprepare-to-clk_unprepare.patch b/queue-5.15/spi-change-clk_disable_unprepare-to-clk_unprepare.patch new file mode 100644 index 00000000000..a0349a4472a --- /dev/null +++ b/queue-5.15/spi-change-clk_disable_unprepare-to-clk_unprepare.patch @@ -0,0 +1,39 @@ +From 7661f4d2b68238a99b144573f35447d273261aa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 18:19:31 +0800 +Subject: spi: change clk_disable_unprepare to clk_unprepare + +From: Dongliang Mu + +[ Upstream commit db6689b643d8653092f5853751ea2cdbc299f8d3 ] + +The corresponding API for clk_prepare is clk_unprepare, other than +clk_disable_unprepare. + +Fix this by changing clk_disable_unprepare to clk_unprepare. + +Fixes: 5762ab71eb24 ("spi: Add support for Armada 3700 SPI Controller") +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20211206101931.2816597-1-mudongliangabcd@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-armada-3700.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-armada-3700.c b/drivers/spi/spi-armada-3700.c +index 46feafe4e201c..d8cc4b270644a 100644 +--- a/drivers/spi/spi-armada-3700.c ++++ b/drivers/spi/spi-armada-3700.c +@@ -901,7 +901,7 @@ static int a3700_spi_probe(struct platform_device *pdev) + return 0; + + error_clk: +- clk_disable_unprepare(spi->clk); ++ clk_unprepare(spi->clk); + error: + spi_master_put(master); + out: +-- +2.34.1 + diff --git a/queue-5.15/tcp-move-inet-rx_dst_ifindex-to-sk-sk_rx_dst_ifindex.patch b/queue-5.15/tcp-move-inet-rx_dst_ifindex-to-sk-sk_rx_dst_ifindex.patch new file mode 100644 index 00000000000..6b88edae4df --- /dev/null +++ b/queue-5.15/tcp-move-inet-rx_dst_ifindex-to-sk-sk_rx_dst_ifindex.patch @@ -0,0 +1,129 @@ +From 588312972ff2632370aef1e5611a6a438e3dda75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 09:48:16 -0700 +Subject: tcp: move inet->rx_dst_ifindex to sk->sk_rx_dst_ifindex + +From: Eric Dumazet + +[ Upstream commit 0c0a5ef809f9150e9229e7b13e43183b681b7a39 ] + +Increase cache locality by moving rx_dst_ifindex next to sk->sk_rx_dst + +This is part of an effort to reduce cache line misses in TCP fast path. + +This removes one cache line miss in early demux. + +Signed-off-by: Eric Dumazet +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/inet_sock.h | 3 +-- + include/net/sock.h | 3 +++ + net/ipv4/tcp_ipv4.c | 6 +++--- + net/ipv6/tcp_ipv6.c | 6 +++--- + 4 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h +index 89163ef8cf4be..9e1111f5915bd 100644 +--- a/include/net/inet_sock.h ++++ b/include/net/inet_sock.h +@@ -207,11 +207,10 @@ struct inet_sock { + __be32 inet_saddr; + __s16 uc_ttl; + __u16 cmsg_flags; ++ struct ip_options_rcu __rcu *inet_opt; + __be16 inet_sport; + __u16 inet_id; + +- struct ip_options_rcu __rcu *inet_opt; +- int rx_dst_ifindex; + __u8 tos; + __u8 min_ttl; + __u8 mc_ttl; +diff --git a/include/net/sock.h b/include/net/sock.h +index 7ac5075f9c18a..752601265a955 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -259,6 +259,7 @@ struct bpf_local_storage; + * @sk_rcvbuf: size of receive buffer in bytes + * @sk_wq: sock wait queue and async head + * @sk_rx_dst: receive input route used by early demux ++ * @sk_rx_dst_ifindex: ifindex for @sk_rx_dst + * @sk_dst_cache: destination cache + * @sk_dst_pending_confirm: need to confirm neighbour + * @sk_policy: flow policy +@@ -431,6 +432,8 @@ struct sock { + struct xfrm_policy __rcu *sk_policy[2]; + #endif + struct dst_entry *sk_rx_dst; ++ int sk_rx_dst_ifindex; ++ + struct dst_entry __rcu *sk_dst_cache; + atomic_t sk_omem_alloc; + int sk_sndbuf; +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 5b8ce65dfc067..f6838eec6ef73 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1703,7 +1703,7 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb) + sock_rps_save_rxhash(sk, skb); + sk_mark_napi_id(sk, skb); + if (dst) { +- if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif || ++ if (sk->sk_rx_dst_ifindex != skb->skb_iif || + !INDIRECT_CALL_1(dst->ops->check, ipv4_dst_check, + dst, 0)) { + dst_release(dst); +@@ -1788,7 +1788,7 @@ int tcp_v4_early_demux(struct sk_buff *skb) + if (dst) + dst = dst_check(dst, 0); + if (dst && +- inet_sk(sk)->rx_dst_ifindex == skb->skb_iif) ++ sk->sk_rx_dst_ifindex == skb->skb_iif) + skb_dst_set_noref(skb, dst); + } + } +@@ -2201,7 +2201,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) + + if (dst && dst_hold_safe(dst)) { + sk->sk_rx_dst = dst; +- inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; ++ sk->sk_rx_dst_ifindex = skb->skb_iif; + } + } + EXPORT_SYMBOL(inet_sk_rx_dst_set); +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index b03dd02c9f13c..c72586ee517ba 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -108,7 +108,7 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) + const struct rt6_info *rt = (const struct rt6_info *)dst; + + sk->sk_rx_dst = dst; +- inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; ++ sk->sk_rx_dst_ifindex = skb->skb_iif; + tcp_inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt); + } + } +@@ -1509,7 +1509,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) + sock_rps_save_rxhash(sk, skb); + sk_mark_napi_id(sk, skb); + if (dst) { +- if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif || ++ if (sk->sk_rx_dst_ifindex != skb->skb_iif || + INDIRECT_CALL_1(dst->ops->check, ip6_dst_check, + dst, np->rx_dst_cookie) == NULL) { + dst_release(dst); +@@ -1880,7 +1880,7 @@ INDIRECT_CALLABLE_SCOPE void tcp_v6_early_demux(struct sk_buff *skb) + if (dst) + dst = dst_check(dst, tcp_inet6_sk(sk)->rx_dst_cookie); + if (dst && +- inet_sk(sk)->rx_dst_ifindex == skb->skb_iif) ++ sk->sk_rx_dst_ifindex == skb->skb_iif) + skb_dst_set_noref(skb, dst); + } + } +-- +2.34.1 + diff --git a/queue-5.15/ucounts-fix-rlimit-max-values-check.patch b/queue-5.15/ucounts-fix-rlimit-max-values-check.patch new file mode 100644 index 00000000000..6ab7a43efc5 --- /dev/null +++ b/queue-5.15/ucounts-fix-rlimit-max-values-check.patch @@ -0,0 +1,122 @@ +From 7642731ec5f4b2f775a7204f60b91caec58aa6a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Nov 2021 21:37:25 +0100 +Subject: ucounts: Fix rlimit max values check + +From: Alexey Gladkov + +[ Upstream commit 59ec71575ab440cd5ca0aa53b2a2985b3639fad4 ] + +The semantics of the rlimit max values differs from ucounts itself. When +creating a new userns, we store the current rlimit of the process in +ucount_max. Thus, the value of the limit in the parent userns is saved +in the created one. + +The problem is that now we are taking the maximum value for counter from +the same userns. So for init_user_ns it will always be RLIM_INFINITY. + +To fix the problem we need to check the counter value with the max value +stored in userns. + +Reproducer: + +su - test -c "ulimit -u 3; sleep 5 & sleep 6 & unshare -U --map-root-user sh -c 'sleep 7 & sleep 8 & date; wait'" + +Before: + +[1] 175 +[2] 176 +Fri Nov 26 13:48:20 UTC 2021 +[1]- Done sleep 5 +[2]+ Done sleep 6 + +After: + +[1] 167 +[2] 168 +sh: fork: retry: Resource temporarily unavailable +sh: fork: retry: Resource temporarily unavailable +sh: fork: retry: Resource temporarily unavailable +sh: fork: retry: Resource temporarily unavailable +sh: fork: retry: Resource temporarily unavailable +sh: fork: retry: Resource temporarily unavailable +sh: fork: retry: Resource temporarily unavailable +sh: fork: Interrupted system call +[1]- Done sleep 5 +[2]+ Done sleep 6 + +Fixes: c54b245d0118 ("Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace") +Reported-by: Gleb Fotengauer-Malinovskiy +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Alexey Gladkov +Link: https://lkml.kernel.org/r/024ec805f6e16896f0b23e094773790d171d2c1c.1638218242.git.legion@kernel.org +Signed-off-by: Eric W. Biederman +Signed-off-by: Sasha Levin +--- + kernel/ucount.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/kernel/ucount.c b/kernel/ucount.c +index eb03f3c68375d..16feb710ee638 100644 +--- a/kernel/ucount.c ++++ b/kernel/ucount.c +@@ -258,15 +258,16 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type) + long inc_rlimit_ucounts(struct ucounts *ucounts, enum ucount_type type, long v) + { + struct ucounts *iter; ++ long max = LONG_MAX; + long ret = 0; + + for (iter = ucounts; iter; iter = iter->ns->ucounts) { +- long max = READ_ONCE(iter->ns->ucount_max[type]); + long new = atomic_long_add_return(v, &iter->ucount[type]); + if (new < 0 || new > max) + ret = LONG_MAX; + else if (iter == ucounts) + ret = new; ++ max = READ_ONCE(iter->ns->ucount_max[type]); + } + return ret; + } +@@ -306,15 +307,16 @@ long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum ucount_type type) + { + /* Caller must hold a reference to ucounts */ + struct ucounts *iter; ++ long max = LONG_MAX; + long dec, ret = 0; + + for (iter = ucounts; iter; iter = iter->ns->ucounts) { +- long max = READ_ONCE(iter->ns->ucount_max[type]); + long new = atomic_long_add_return(1, &iter->ucount[type]); + if (new < 0 || new > max) + goto unwind; + if (iter == ucounts) + ret = new; ++ max = READ_ONCE(iter->ns->ucount_max[type]); + /* + * Grab an extra ucount reference for the caller when + * the rlimit count was previously 0. +@@ -333,15 +335,16 @@ unwind: + return 0; + } + +-bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsigned long max) ++bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsigned long rlimit) + { + struct ucounts *iter; +- if (get_ucounts_value(ucounts, type) > max) +- return true; ++ long max = rlimit; ++ if (rlimit > LONG_MAX) ++ max = LONG_MAX; + for (iter = ucounts; iter; iter = iter->ns->ucounts) { +- max = READ_ONCE(iter->ns->ucount_max[type]); + if (get_ucounts_value(iter, type) > max) + return true; ++ max = READ_ONCE(iter->ns->ucount_max[type]); + } + return false; + } +-- +2.34.1 + diff --git a/queue-5.15/veth-ensure-skb-entering-gro-are-not-cloned.patch b/queue-5.15/veth-ensure-skb-entering-gro-are-not-cloned.patch new file mode 100644 index 00000000000..38af999753c --- /dev/null +++ b/queue-5.15/veth-ensure-skb-entering-gro-are-not-cloned.patch @@ -0,0 +1,101 @@ +From 5a30d07c8ccabed22a09243d8caefe5d44454d86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 19:39:52 +0100 +Subject: veth: ensure skb entering GRO are not cloned. + +From: Paolo Abeni + +[ Upstream commit 9695b7de5b4760ed22132aca919570c0190cb0ce ] + +After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"), +if GRO is enabled on a veth device and TSO is disabled on the peer +device, TCP skbs will go through the NAPI callback. If there is no XDP +program attached, the veth code does not perform any share check, and +shared/cloned skbs could enter the GRO engine. + +Ignat reported a BUG triggered later-on due to the above condition: + +[ 53.970529][ C1] kernel BUG at net/core/skbuff.c:3574! +[ 53.981755][ C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +[ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25 +[ 53.982634][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +[ 53.982634][ C1] RIP: 0010:skb_shift+0x13ef/0x23b0 +[ 53.982634][ C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0 +7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f +85 74 f5 ff ff <0f> 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89 +f7 4c 89 8c +[ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246 +[ 53.982634][ C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000 +[ 53.982634][ C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2 +[ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0 +[ 53.982634][ C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590 +[ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0 +[ 53.982634][ C1] FS: 0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000 +[ 53.982634][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0 +[ 53.982634][ C1] Call Trace: +[ 53.982634][ C1] +[ 53.982634][ C1] tcp_sacktag_walk+0xaba/0x18e0 +[ 53.982634][ C1] tcp_sacktag_write_queue+0xe7b/0x3460 +[ 53.982634][ C1] tcp_ack+0x2666/0x54b0 +[ 53.982634][ C1] tcp_rcv_established+0x4d9/0x20f0 +[ 53.982634][ C1] tcp_v4_do_rcv+0x551/0x810 +[ 53.982634][ C1] tcp_v4_rcv+0x22ed/0x2ed0 +[ 53.982634][ C1] ip_protocol_deliver_rcu+0x96/0xaf0 +[ 53.982634][ C1] ip_local_deliver_finish+0x1e0/0x2f0 +[ 53.982634][ C1] ip_sublist_rcv_finish+0x211/0x440 +[ 53.982634][ C1] ip_list_rcv_finish.constprop.0+0x424/0x660 +[ 53.982634][ C1] ip_list_rcv+0x2c8/0x410 +[ 53.982634][ C1] __netif_receive_skb_list_core+0x65c/0x910 +[ 53.982634][ C1] netif_receive_skb_list_internal+0x5f9/0xcb0 +[ 53.982634][ C1] napi_complete_done+0x188/0x6e0 +[ 53.982634][ C1] gro_cell_poll+0x10c/0x1d0 +[ 53.982634][ C1] __napi_poll+0xa1/0x530 +[ 53.982634][ C1] net_rx_action+0x567/0x1270 +[ 53.982634][ C1] __do_softirq+0x28a/0x9ba +[ 53.982634][ C1] run_ksoftirqd+0x32/0x60 +[ 53.982634][ C1] smpboot_thread_fn+0x559/0x8c0 +[ 53.982634][ C1] kthread+0x3b9/0x490 +[ 53.982634][ C1] ret_from_fork+0x22/0x30 +[ 53.982634][ C1] + +Address the issue by skipping the GRO stage for shared or cloned skbs. +To reduce the chance of OoO, try to unclone the skbs before giving up. + +v1 -> v2: + - use avoid skb_copy and fallback to netif_receive_skb - Eric + +Reported-by: Ignat Korchagin +Fixes: d3256efd8e8b ("veth: allow enabling NAPI even without XDP") +Signed-off-by: Paolo Abeni +Tested-by: Ignat Korchagin +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/b5f61c5602aab01bac8d711d8d1bfab0a4817db7.1640197544.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 50eb43e5bf459..2acdb8ad6c713 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -879,8 +879,12 @@ static int veth_xdp_rcv(struct veth_rq *rq, int budget, + + stats->xdp_bytes += skb->len; + skb = veth_xdp_rcv_skb(rq, skb, bq, stats); +- if (skb) +- napi_gro_receive(&rq->xdp_napi, skb); ++ if (skb) { ++ if (skb_shared(skb) || skb_unclone(skb, GFP_ATOMIC)) ++ netif_receive_skb(skb); ++ else ++ napi_gro_receive(&rq->xdp_napi, skb); ++ } + } + done++; + } +-- +2.34.1 + -- 2.47.3