From: Sasha Levin Date: Sat, 5 Aug 2023 20:50:02 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.14.321~51 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=032e406d471c22f387dfd99e6e4e7b6669bbec7e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/arm64-dts-imx8mn-var-som-add-missing-pull-up-for-onb.patch b/queue-5.10/arm64-dts-imx8mn-var-som-add-missing-pull-up-for-onb.patch new file mode 100644 index 00000000000..8ad8ee5f629 --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mn-var-som-add-missing-pull-up-for-onb.patch @@ -0,0 +1,47 @@ +From a8d00ae128983f226ba960b160d8192721636168 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 09:48:00 -0400 +Subject: arm64: dts: imx8mn-var-som: add missing pull-up for onboard PHY reset + pinmux + +From: Hugo Villeneuve + +[ Upstream commit 253be5b53c2792fb4384f8005b05421e6f040ee3 ] + +For SOMs with an onboard PHY, the RESET_N pull-up resistor is +currently deactivated in the pinmux configuration. When the pinmux +code selects the GPIO function for this pin, with a default direction +of input, this prevents the RESET_N pin from being taken to the proper +3.3V level (deasserted), and this results in the PHY being not +detected since it is held in reset. + +Taken from RESET_N pin description in ADIN13000 datasheet: + This pin requires a 1K pull-up resistor to AVDD_3P3. + +Activate the pull-up resistor to fix the issue. + +Fixes: ade0176dd8a0 ("arm64: dts: imx8mn-var-som: Add Variscite VAR-SOM-MX8MN System on Module") +Signed-off-by: Hugo Villeneuve +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi +index 24f9e8fd0c8b8..9c6c21cc6c6c8 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi +@@ -351,7 +351,7 @@ + MX8MN_IOMUXC_ENET_RXC_ENET1_RGMII_RXC 0x91 + MX8MN_IOMUXC_ENET_RX_CTL_ENET1_RGMII_RX_CTL 0x91 + MX8MN_IOMUXC_ENET_TX_CTL_ENET1_RGMII_TX_CTL 0x1f +- MX8MN_IOMUXC_GPIO1_IO09_GPIO1_IO9 0x19 ++ MX8MN_IOMUXC_GPIO1_IO09_GPIO1_IO9 0x159 + >; + }; + +-- +2.40.1 + diff --git a/queue-5.10/bpf-add-length-check-for-sk_diag_bpf_storage_req_map.patch b/queue-5.10/bpf-add-length-check-for-sk_diag_bpf_storage_req_map.patch new file mode 100644 index 00000000000..3e70d2947e9 --- /dev/null +++ b/queue-5.10/bpf-add-length-check-for-sk_diag_bpf_storage_req_map.patch @@ -0,0 +1,49 @@ +From c3d506eb1fa5785253d25ea582be0492ff74bf54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:33:30 +0800 +Subject: bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing + +From: Lin Ma + +[ Upstream commit bcc29b7f5af6797702c2306a7aacb831fc5ce9cb ] + +The nla_for_each_nested parsing in function bpf_sk_storage_diag_alloc +does not check the length of the nested attribute. This can lead to an +out-of-attribute read and allow a malformed nlattr (e.g., length 0) to +be viewed as a 4 byte integer. + +This patch adds an additional check when the nlattr is getting counted. +This makes sure the latter nla_get_u32 can access the attributes with +the correct length. + +Fixes: 1ed4d92458a9 ("bpf: INET_DIAG support in bpf_sk_storage") +Suggested-by: Jakub Kicinski +Signed-off-by: Lin Ma +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20230725023330.422856-1-linma@zju.edu.cn +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + net/core/bpf_sk_storage.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c +index d67d06d6b817c..a811fe0f0f6fd 100644 +--- a/net/core/bpf_sk_storage.c ++++ b/net/core/bpf_sk_storage.c +@@ -446,8 +446,11 @@ bpf_sk_storage_diag_alloc(const struct nlattr *nla_stgs) + return ERR_PTR(-EPERM); + + nla_for_each_nested(nla, nla_stgs, rem) { +- if (nla_type(nla) == SK_DIAG_BPF_STORAGE_REQ_MAP_FD) ++ if (nla_type(nla) == SK_DIAG_BPF_STORAGE_REQ_MAP_FD) { ++ if (nla_len(nla) != sizeof(u32)) ++ return ERR_PTR(-EINVAL); + nr_maps++; ++ } + } + + diag = kzalloc(sizeof(*diag) + sizeof(diag->maps[0]) * nr_maps, +-- +2.40.1 + diff --git a/queue-5.10/bpf-sockmap-remove-preempt_disable-in-sock_map_sk_ac.patch b/queue-5.10/bpf-sockmap-remove-preempt_disable-in-sock_map_sk_ac.patch new file mode 100644 index 00000000000..843273289e1 --- /dev/null +++ b/queue-5.10/bpf-sockmap-remove-preempt_disable-in-sock_map_sk_ac.patch @@ -0,0 +1,59 @@ +From eb450fe218fdadf1af7d2126c9021bb1347e4e53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 08:44:11 +0200 +Subject: bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire + +From: Tomas Glozar + +[ Upstream commit 13d2618b48f15966d1adfe1ff6a1985f5eef40ba ] + +Disabling preemption in sock_map_sk_acquire conflicts with GFP_ATOMIC +allocation later in sk_psock_init_link on PREEMPT_RT kernels, since +GFP_ATOMIC might sleep on RT (see bpf: Make BPF and PREEMPT_RT co-exist +patchset notes for details). + +This causes calling bpf_map_update_elem on BPF_MAP_TYPE_SOCKMAP maps to +BUG (sleeping function called from invalid context) on RT kernels. + +preempt_disable was introduced together with lock_sk and rcu_read_lock +in commit 99ba2b5aba24e ("bpf: sockhash, disallow bpf_tcp_close and update +in parallel"), probably to match disabled migration of BPF programs, and +is no longer necessary. + +Remove preempt_disable to fix BUG in sock_map_update_common on RT. + +Signed-off-by: Tomas Glozar +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/all/20200224140131.461979697@linutronix.de/ +Fixes: 99ba2b5aba24 ("bpf: sockhash, disallow bpf_tcp_close and update in parallel") +Reviewed-by: John Fastabend +Link: https://lore.kernel.org/r/20230728064411.305576-1-tglozar@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/sock_map.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index ee5d3f49b0b5b..f375ef1501490 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -122,7 +122,6 @@ static void sock_map_sk_acquire(struct sock *sk) + __acquires(&sk->sk_lock.slock) + { + lock_sock(sk); +- preempt_disable(); + rcu_read_lock(); + } + +@@ -130,7 +129,6 @@ static void sock_map_sk_release(struct sock *sk) + __releases(&sk->sk_lock.slock) + { + rcu_read_unlock(); +- preempt_enable(); + release_sock(sk); + } + +-- +2.40.1 + diff --git a/queue-5.10/ip6mr-fix-skb_under_panic-in-ip6mr_cache_report.patch b/queue-5.10/ip6mr-fix-skb_under_panic-in-ip6mr_cache_report.patch new file mode 100644 index 00000000000..e91fe0f32d3 --- /dev/null +++ b/queue-5.10/ip6mr-fix-skb_under_panic-in-ip6mr_cache_report.patch @@ -0,0 +1,77 @@ +From 2aa125e35101a84d57f670504600ef0b28939c77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 14:43:18 +0800 +Subject: ip6mr: Fix skb_under_panic in ip6mr_cache_report() + +From: Yue Haibing + +[ Upstream commit 30e0191b16e8a58e4620fa3e2839ddc7b9d4281c ] + +skbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4 + head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg + ------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:192! + invalid opcode: 0000 [#1] PREEMPT SMP KASAN + CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b571a #236 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + Workqueue: ipv6_addrconf addrconf_dad_work + RIP: 0010:skb_panic+0x152/0x1d0 + Call Trace: + + skb_push+0xc4/0xe0 + ip6mr_cache_report+0xd69/0x19b0 + reg_vif_xmit+0x406/0x690 + dev_hard_start_xmit+0x17e/0x6e0 + __dev_queue_xmit+0x2d6a/0x3d20 + vlan_dev_hard_start_xmit+0x3ab/0x5c0 + dev_hard_start_xmit+0x17e/0x6e0 + __dev_queue_xmit+0x2d6a/0x3d20 + neigh_connected_output+0x3ed/0x570 + ip6_finish_output2+0x5b5/0x1950 + ip6_finish_output+0x693/0x11c0 + ip6_output+0x24b/0x880 + NF_HOOK.constprop.0+0xfd/0x530 + ndisc_send_skb+0x9db/0x1400 + ndisc_send_rs+0x12a/0x6c0 + addrconf_dad_completed+0x3c9/0xea0 + addrconf_dad_work+0x849/0x1420 + process_one_work+0xa22/0x16e0 + worker_thread+0x679/0x10c0 + ret_from_fork+0x28/0x60 + ret_from_fork_asm+0x11/0x20 + +When setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vif_xmit(). +reg_vif_xmit() + ip6mr_cache_report() + skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt) is 4 +And skb_push declared as: + void *skb_push(struct sk_buff *skb, unsigned int len); + skb->data -= len; + //0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850 +skb->data is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails. + +Fixes: 14fb64e1f449 ("[IPV6] MROUTE: Support PIM-SM (SSM).") +Signed-off-by: Yue Haibing +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index 5f0ac47acc74b..c758d0cc6146d 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -1069,7 +1069,7 @@ static int ip6mr_cache_report(struct mr_table *mrt, struct sk_buff *pkt, + And all this only to mangle msg->im6_msgtype and + to set msg->im6_mbz to "mbz" :-) + */ +- skb_push(skb, -skb_network_offset(pkt)); ++ __skb_pull(skb, skb_network_offset(pkt)); + + skb_push(skb, sizeof(*msg)); + skb_reset_transport_header(skb); +-- +2.40.1 + diff --git a/queue-5.10/kvm-s390-fix-sthyi-error-handling.patch b/queue-5.10/kvm-s390-fix-sthyi-error-handling.patch new file mode 100644 index 00000000000..8e8ae945e64 --- /dev/null +++ b/queue-5.10/kvm-s390-fix-sthyi-error-handling.patch @@ -0,0 +1,78 @@ +From 2e2cc1977dd6ca4df260cbf6d6b56f9ef225fb27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 20:29:39 +0200 +Subject: KVM: s390: fix sthyi error handling + +From: Heiko Carstens + +[ Upstream commit 0c02cc576eac161601927b41634f80bfd55bfa9e ] + +Commit 9fb6c9b3fea1 ("s390/sthyi: add cache to store hypervisor info") +added cache handling for store hypervisor info. This also changed the +possible return code for sthyi_fill(). + +Instead of only returning a condition code like the sthyi instruction would +do, it can now also return a negative error value (-ENOMEM). handle_styhi() +was not changed accordingly. In case of an error, the negative error value +would incorrectly injected into the guest PSW. + +Add proper error handling to prevent this, and update the comment which +describes the possible return values of sthyi_fill(). + +Fixes: 9fb6c9b3fea1 ("s390/sthyi: add cache to store hypervisor info") +Reviewed-by: Christian Borntraeger +Link: https://lore.kernel.org/r/20230727182939.2050744-1-hca@linux.ibm.com +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/sthyi.c | 6 +++--- + arch/s390/kvm/intercept.c | 9 ++++++--- + 2 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/arch/s390/kernel/sthyi.c b/arch/s390/kernel/sthyi.c +index 888cc2f166db7..ce6084e28d904 100644 +--- a/arch/s390/kernel/sthyi.c ++++ b/arch/s390/kernel/sthyi.c +@@ -460,9 +460,9 @@ static int sthyi_update_cache(u64 *rc) + * + * Fills the destination with system information returned by the STHYI + * instruction. The data is generated by emulation or execution of STHYI, +- * if available. The return value is the condition code that would be +- * returned, the rc parameter is the return code which is passed in +- * register R2 + 1. ++ * if available. The return value is either a negative error value or ++ * the condition code that would be returned, the rc parameter is the ++ * return code which is passed in register R2 + 1. + */ + int sthyi_fill(void *dst, u64 *rc) + { +diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c +index 5be68190901f9..8bf72a323e4fa 100644 +--- a/arch/s390/kvm/intercept.c ++++ b/arch/s390/kvm/intercept.c +@@ -387,8 +387,8 @@ static int handle_partial_execution(struct kvm_vcpu *vcpu) + */ + int handle_sthyi(struct kvm_vcpu *vcpu) + { +- int reg1, reg2, r = 0; +- u64 code, addr, cc = 0, rc = 0; ++ int reg1, reg2, cc = 0, r = 0; ++ u64 code, addr, rc = 0; + struct sthyi_sctns *sctns = NULL; + + if (!test_kvm_facility(vcpu->kvm, 74)) +@@ -419,7 +419,10 @@ int handle_sthyi(struct kvm_vcpu *vcpu) + return -ENOMEM; + + cc = sthyi_fill(sctns, &rc); +- ++ if (cc < 0) { ++ free_page((unsigned long)sctns); ++ return cc; ++ } + out: + if (!cc) { + if (kvm_s390_pv_cpu_is_protected(vcpu)) { +-- +2.40.1 + diff --git a/queue-5.10/misdn-hfcpci-fix-potential-deadlock-on-hc-lock.patch b/queue-5.10/misdn-hfcpci-fix-potential-deadlock-on-hc-lock.patch new file mode 100644 index 00000000000..6beae078637 --- /dev/null +++ b/queue-5.10/misdn-hfcpci-fix-potential-deadlock-on-hc-lock.patch @@ -0,0 +1,88 @@ +From d5763e0c97acd7f9495311f94bab67eb3a444089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 08:56:19 +0000 +Subject: mISDN: hfcpci: Fix potential deadlock on &hc->lock + +From: Chengfeng Ye + +[ Upstream commit 56c6be35fcbed54279df0a2c9e60480a61841d6f ] + +As &hc->lock is acquired by both timer _hfcpci_softirq() and hardirq +hfcpci_int(), the timer should disable irq before lock acquisition +otherwise deadlock could happen if the timmer is preemtped by the hadr irq. + +Possible deadlock scenario: +hfcpci_softirq() (timer) + -> _hfcpci_softirq() + -> spin_lock(&hc->lock); + + -> hfcpci_int() + -> spin_lock(&hc->lock); (deadlock here) + +This flaw was found by an experimental static analysis tool I am developing +for irq-related deadlock. + +The tentative patch fixes the potential deadlock by spin_lock_irq() +in timer. + +Fixes: b36b654a7e82 ("mISDN: Create /sys/class/mISDN") +Signed-off-by: Chengfeng Ye +Link: https://lore.kernel.org/r/20230727085619.7419-1-dg573847474@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcpci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c +index eba58b99cd29d..d6cf01c32a33d 100644 +--- a/drivers/isdn/hardware/mISDN/hfcpci.c ++++ b/drivers/isdn/hardware/mISDN/hfcpci.c +@@ -839,7 +839,7 @@ hfcpci_fill_fifo(struct bchannel *bch) + *z1t = cpu_to_le16(new_z1); /* now send data */ + if (bch->tx_idx < bch->tx_skb->len) + return; +- dev_kfree_skb(bch->tx_skb); ++ dev_kfree_skb_any(bch->tx_skb); + if (get_next_bframe(bch)) + goto next_t_frame; + return; +@@ -895,7 +895,7 @@ hfcpci_fill_fifo(struct bchannel *bch) + } + bz->za[new_f1].z1 = cpu_to_le16(new_z1); /* for next buffer */ + bz->f1 = new_f1; /* next frame */ +- dev_kfree_skb(bch->tx_skb); ++ dev_kfree_skb_any(bch->tx_skb); + get_next_bframe(bch); + } + +@@ -1119,7 +1119,7 @@ tx_birq(struct bchannel *bch) + if (bch->tx_skb && bch->tx_idx < bch->tx_skb->len) + hfcpci_fill_fifo(bch); + else { +- dev_kfree_skb(bch->tx_skb); ++ dev_kfree_skb_any(bch->tx_skb); + if (get_next_bframe(bch)) + hfcpci_fill_fifo(bch); + } +@@ -2277,7 +2277,7 @@ _hfcpci_softirq(struct device *dev, void *unused) + return 0; + + if (hc->hw.int_m2 & HFCPCI_IRQ_ENABLE) { +- spin_lock(&hc->lock); ++ spin_lock_irq(&hc->lock); + bch = Sel_BCS(hc, hc->hw.bswapped ? 2 : 1); + if (bch && bch->state == ISDN_P_B_RAW) { /* B1 rx&tx */ + main_rec_hfcpci(bch); +@@ -2288,7 +2288,7 @@ _hfcpci_softirq(struct device *dev, void *unused) + main_rec_hfcpci(bch); + tx_birq(bch); + } +- spin_unlock(&hc->lock); ++ spin_unlock_irq(&hc->lock); + } + return 0; + } +-- +2.40.1 + diff --git a/queue-5.10/net-add-missing-data-race-annotation-for-sk_ll_usec.patch b/queue-5.10/net-add-missing-data-race-annotation-for-sk_ll_usec.patch new file mode 100644 index 00000000000..ebc584df6b9 --- /dev/null +++ b/queue-5.10/net-add-missing-data-race-annotation-for-sk_ll_usec.patch @@ -0,0 +1,36 @@ +From b881fe0d347d4b0ae81a9d2b74220dca1edb167c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:17 +0000 +Subject: net: add missing data-race annotation for sk_ll_usec + +From: Eric Dumazet + +[ Upstream commit e5f0d2dd3c2faa671711dac6d3ff3cef307bcfe3 ] + +In a prior commit I forgot that sk_getsockopt() reads +sk->sk_ll_usec without holding a lock. + +Fixes: 0dbffbb5335a ("net: annotate data race around sk_ll_usec") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index a241734b10240..98f4b4a80de42 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1547,7 +1547,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + + #ifdef CONFIG_NET_RX_BUSY_POLL + case SO_BUSY_POLL: +- v.val = sk->sk_ll_usec; ++ v.val = READ_ONCE(sk->sk_ll_usec); + break; + #endif + +-- +2.40.1 + diff --git a/queue-5.10/net-add-missing-data-race-annotations-around-sk-sk_p.patch b/queue-5.10/net-add-missing-data-race-annotations-around-sk-sk_p.patch new file mode 100644 index 00000000000..0cbe0c72dce --- /dev/null +++ b/queue-5.10/net-add-missing-data-race-annotations-around-sk-sk_p.patch @@ -0,0 +1,63 @@ +From 368ba963fa4cc93203e2db975a4bf03cb7aaed27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:16 +0000 +Subject: net: add missing data-race annotations around sk->sk_peek_off + +From: Eric Dumazet + +[ Upstream commit 11695c6e966b0ec7ed1d16777d294cef865a5c91 ] + +sk_getsockopt() runs locklessly, thus we need to annotate the read +of sk->sk_peek_off. + +While we are at it, add corresponding annotations to sk_set_peek_off() +and unix_set_peek_off(). + +Fixes: b9bb53f3836f ("sock: convert sk_peek_offset functions to WRITE_ONCE") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 4 ++-- + net/unix/af_unix.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 708018b58e906..a241734b10240 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1517,7 +1517,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + if (!sock->ops->set_peek_off) + return -EOPNOTSUPP; + +- v.val = sk->sk_peek_off; ++ v.val = READ_ONCE(sk->sk_peek_off); + break; + case SO_NOFCS: + v.val = sock_flag(sk, SOCK_NOFCS); +@@ -2745,7 +2745,7 @@ EXPORT_SYMBOL(__sk_mem_reclaim); + + int sk_set_peek_off(struct sock *sk, int val) + { +- sk->sk_peek_off = val; ++ WRITE_ONCE(sk->sk_peek_off, val); + return 0; + } + EXPORT_SYMBOL_GPL(sk_set_peek_off); +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 2fe0efcbfed16..3aa783a23c5f6 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -697,7 +697,7 @@ static int unix_set_peek_off(struct sock *sk, int val) + if (mutex_lock_interruptible(&u->iolock)) + return -EINTR; + +- sk->sk_peek_off = val; ++ WRITE_ONCE(sk->sk_peek_off, val); + mutex_unlock(&u->iolock); + + return 0; +-- +2.40.1 + diff --git a/queue-5.10/net-add-missing-read_once-sk-sk_rcvbuf-annotation.patch b/queue-5.10/net-add-missing-read_once-sk-sk_rcvbuf-annotation.patch new file mode 100644 index 00000000000..a0759be6971 --- /dev/null +++ b/queue-5.10/net-add-missing-read_once-sk-sk_rcvbuf-annotation.patch @@ -0,0 +1,36 @@ +From f3b4171914f6200dc6c6745fc2956b678b2622f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:14 +0000 +Subject: net: add missing READ_ONCE(sk->sk_rcvbuf) annotation + +From: Eric Dumazet + +[ Upstream commit b4b553253091cafe9ec38994acf42795e073bef5 ] + +In a prior commit, I forgot to change sk_getsockopt() +when reading sk->sk_rcvbuf locklessly. + +Fixes: ebb3b78db7bf ("tcp: annotate sk->sk_rcvbuf lockless reads") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 6f422882d34f2..708018b58e906 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1336,7 +1336,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + break; + + case SO_RCVBUF: +- v.val = sk->sk_rcvbuf; ++ v.val = READ_ONCE(sk->sk_rcvbuf); + break; + + case SO_REUSEADDR: +-- +2.40.1 + diff --git a/queue-5.10/net-add-missing-read_once-sk-sk_rcvlowat-annotation.patch b/queue-5.10/net-add-missing-read_once-sk-sk_rcvlowat-annotation.patch new file mode 100644 index 00000000000..9103d76cd31 --- /dev/null +++ b/queue-5.10/net-add-missing-read_once-sk-sk_rcvlowat-annotation.patch @@ -0,0 +1,36 @@ +From 6c300a0f2fee462a11ff6ddf170cf302044f8943 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:11 +0000 +Subject: net: add missing READ_ONCE(sk->sk_rcvlowat) annotation + +From: Eric Dumazet + +[ Upstream commit e6d12bdb435d23ff6c1890c852d85408a2f496ee ] + +In a prior commit, I forgot to change sk_getsockopt() +when reading sk->sk_rcvlowat locklessly. + +Fixes: eac66402d1c3 ("net: annotate sk->sk_rcvlowat lockless reads") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index c7ba7d82eb36c..66aab0981f666 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1423,7 +1423,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + break; + + case SO_RCVLOWAT: +- v.val = sk->sk_rcvlowat; ++ v.val = READ_ONCE(sk->sk_rcvlowat); + break; + + case SO_SNDLOWAT: +-- +2.40.1 + diff --git a/queue-5.10/net-add-missing-read_once-sk-sk_sndbuf-annotation.patch b/queue-5.10/net-add-missing-read_once-sk-sk_sndbuf-annotation.patch new file mode 100644 index 00000000000..f676f8cbb3b --- /dev/null +++ b/queue-5.10/net-add-missing-read_once-sk-sk_sndbuf-annotation.patch @@ -0,0 +1,36 @@ +From d9a11149befb1c19adbf517bd2007b7f2ae357be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:13 +0000 +Subject: net: add missing READ_ONCE(sk->sk_sndbuf) annotation + +From: Eric Dumazet + +[ Upstream commit 74bc084327c643499474ba75df485607da37dd6e ] + +In a prior commit, I forgot to change sk_getsockopt() +when reading sk->sk_sndbuf locklessly. + +Fixes: e292f05e0df7 ("tcp: annotate sk->sk_sndbuf lockless reads") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 66aab0981f666..6f422882d34f2 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1332,7 +1332,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + break; + + case SO_SNDBUF: +- v.val = sk->sk_sndbuf; ++ v.val = READ_ONCE(sk->sk_sndbuf); + break; + + case SO_RCVBUF: +-- +2.40.1 + diff --git a/queue-5.10/net-annotate-data-races-around-sk-sk_max_pacing_rate.patch b/queue-5.10/net-annotate-data-races-around-sk-sk_max_pacing_rate.patch new file mode 100644 index 00000000000..854630cc339 --- /dev/null +++ b/queue-5.10/net-annotate-data-races-around-sk-sk_max_pacing_rate.patch @@ -0,0 +1,54 @@ +From 961eff452977ef705e5262a031ed674216440e14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:10 +0000 +Subject: net: annotate data-races around sk->sk_max_pacing_rate + +From: Eric Dumazet + +[ Upstream commit ea7f45ef77b39e72244d282e47f6cb1ef4135cd2 ] + +sk_getsockopt() runs locklessly. This means sk->sk_max_pacing_rate +can be read while other threads are changing its value. + +Fixes: 62748f32d501 ("net: introduce SO_MAX_PACING_RATE") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 4e00c6e2cb431..c7ba7d82eb36c 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1183,7 +1183,8 @@ int sock_setsockopt(struct socket *sock, int level, int optname, + cmpxchg(&sk->sk_pacing_status, + SK_PACING_NONE, + SK_PACING_NEEDED); +- sk->sk_max_pacing_rate = ulval; ++ /* Pairs with READ_ONCE() from sk_getsockopt() */ ++ WRITE_ONCE(sk->sk_max_pacing_rate, ulval); + sk->sk_pacing_rate = min(sk->sk_pacing_rate, ulval); + break; + } +@@ -1551,12 +1552,14 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + #endif + + case SO_MAX_PACING_RATE: ++ /* The READ_ONCE() pair with the WRITE_ONCE() in sk_setsockopt() */ + if (sizeof(v.ulval) != sizeof(v.val) && len >= sizeof(v.ulval)) { + lv = sizeof(v.ulval); +- v.ulval = sk->sk_max_pacing_rate; ++ v.ulval = READ_ONCE(sk->sk_max_pacing_rate); + } else { + /* 32bit version */ +- v.val = min_t(unsigned long, sk->sk_max_pacing_rate, ~0U); ++ v.val = min_t(unsigned long, ~0U, ++ READ_ONCE(sk->sk_max_pacing_rate)); + } + break; + +-- +2.40.1 + diff --git a/queue-5.10/net-dcb-choose-correct-policy-to-parse-dcb_attr_bcn.patch b/queue-5.10/net-dcb-choose-correct-policy-to-parse-dcb_attr_bcn.patch new file mode 100644 index 00000000000..29b4b6fcd8f --- /dev/null +++ b/queue-5.10/net-dcb-choose-correct-policy-to-parse-dcb_attr_bcn.patch @@ -0,0 +1,103 @@ +From cb9efdac2f1dab0c9db789a5175b606a00642dcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 09:32:48 +0800 +Subject: net: dcb: choose correct policy to parse DCB_ATTR_BCN + +From: Lin Ma + +[ Upstream commit 31d49ba033095f6e8158c60f69714a500922e0c3 ] + +The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN], +which is introduced in commit 859ee3c43812 ("DCB: Add support for DCB +BCN"). Please see the comment in below code + +static int dcbnl_bcn_setcfg(...) +{ + ... + ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. ) + // !!! dcbnl_pfc_up_nest for attributes + // DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs + ... + for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) { + // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs + ... + value_byte = nla_get_u8(data[i]); + ... + } + ... + for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) { + // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs + ... + value_int = nla_get_u32(data[i]); + ... + } + ... +} + +That is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest +attributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the +following access code fetch each nlattr as dcbnl_bcn_attrs attributes. +By looking up the associated nla_policy for dcbnl_bcn_attrs. We can find +the beginning part of these two policies are "same". + +static const struct nla_policy dcbnl_pfc_up_nest[...] = { + [DCB_PFC_UP_ATTR_0] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_1] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_2] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_3] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_4] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_5] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_6] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_7] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG}, +}; + +static const struct nla_policy dcbnl_bcn_nest[...] = { + [DCB_BCN_ATTR_RP_0] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_1] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_2] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_3] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_4] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_5] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_6] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_7] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG}, + // from here is somewhat different + [DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32}, + ... + [DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG}, +}; + +Therefore, the current code is buggy and this +nla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use +the adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0. + +Hence use the correct policy dcbnl_bcn_nest to parse the nested +tb[DCB_ATTR_BCN] TLV. + +Fixes: 859ee3c43812 ("DCB: Add support for DCB BCN") +Signed-off-by: Lin Ma +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230801013248.87240-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dcb/dcbnl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c +index 2535d3dfb92c8..c0fb70936ca17 100644 +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -946,7 +946,7 @@ static int dcbnl_bcn_setcfg(struct net_device *netdev, struct nlmsghdr *nlh, + return -EOPNOTSUPP; + + ret = nla_parse_nested_deprecated(data, DCB_BCN_ATTR_MAX, +- tb[DCB_ATTR_BCN], dcbnl_pfc_up_nest, ++ tb[DCB_ATTR_BCN], dcbnl_bcn_nest, + NULL); + if (ret) + return ret; +-- +2.40.1 + diff --git a/queue-5.10/net-dsa-fix-value-check-in-bcm_sf2_sw_probe.patch b/queue-5.10/net-dsa-fix-value-check-in-bcm_sf2_sw_probe.patch new file mode 100644 index 00000000000..a6fb6850b96 --- /dev/null +++ b/queue-5.10/net-dsa-fix-value-check-in-bcm_sf2_sw_probe.patch @@ -0,0 +1,52 @@ +From 6814f9659393e872e6a8f7fcbc5a0173d82baedb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 01:05:06 +0800 +Subject: net: dsa: fix value check in bcm_sf2_sw_probe() + +From: Yuanjun Gong + +[ Upstream commit dadc5b86cc9459581f37fe755b431adc399ea393 ] + +in bcm_sf2_sw_probe(), check the return value of clk_prepare_enable() +and return the error code if clk_prepare_enable() returns an +unexpected value. + +Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks") +Signed-off-by: Yuanjun Gong +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230726170506.16547-1-ruc_gongyuanjun@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index c6563d212476a..f2f890e559f3a 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -1301,7 +1301,9 @@ static int bcm_sf2_sw_probe(struct platform_device *pdev) + if (IS_ERR(priv->clk)) + return PTR_ERR(priv->clk); + +- clk_prepare_enable(priv->clk); ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) ++ return ret; + + priv->clk_mdiv = devm_clk_get_optional(&pdev->dev, "sw_switch_mdiv"); + if (IS_ERR(priv->clk_mdiv)) { +@@ -1309,7 +1311,9 @@ static int bcm_sf2_sw_probe(struct platform_device *pdev) + goto out_clk; + } + +- clk_prepare_enable(priv->clk_mdiv); ++ ret = clk_prepare_enable(priv->clk_mdiv); ++ if (ret) ++ goto out_clk; + + ret = bcm_sf2_sw_rst(priv); + if (ret) { +-- +2.40.1 + diff --git a/queue-5.10/net-ll_temac-fix-error-checking-of-irq_of_parse_and_.patch b/queue-5.10/net-ll_temac-fix-error-checking-of-irq_of_parse_and_.patch new file mode 100644 index 00000000000..1d2e1204a3b --- /dev/null +++ b/queue-5.10/net-ll_temac-fix-error-checking-of-irq_of_parse_and_.patch @@ -0,0 +1,54 @@ +From a0c59cb55d601fbfe3de5ea0a1efe88a3dc5c003 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:42:32 +0300 +Subject: net: ll_temac: fix error checking of irq_of_parse_and_map() + +From: Dan Carpenter + +[ Upstream commit ef45e8400f5bb66b03cc949f76c80e2a118447de ] + +Most kernel functions return negative error codes but some irq functions +return zero on error. In this code irq_of_parse_and_map(), returns zero +and platform_get_irq() returns negative error codes. We need to handle +both cases appropriately. + +Fixes: 8425c41d1ef7 ("net: ll_temac: Extend support to non-device-tree platforms") +Signed-off-by: Dan Carpenter +Acked-by: Esben Haabendal +Reviewed-by: Yang Yingliang +Reviewed-by: Harini Katakam +Link: https://lore.kernel.org/r/3d0aef75-06e0-45a5-a2a6-2cc4738d4143@moroto.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/ll_temac_main.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index 2f27e93370c6c..da136abba1520 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -1550,12 +1550,16 @@ static int temac_probe(struct platform_device *pdev) + } + + /* Error handle returned DMA RX and TX interrupts */ +- if (lp->rx_irq < 0) +- return dev_err_probe(&pdev->dev, lp->rx_irq, ++ if (lp->rx_irq <= 0) { ++ rc = lp->rx_irq ?: -EINVAL; ++ return dev_err_probe(&pdev->dev, rc, + "could not get DMA RX irq\n"); +- if (lp->tx_irq < 0) +- return dev_err_probe(&pdev->dev, lp->tx_irq, ++ } ++ if (lp->tx_irq <= 0) { ++ rc = lp->tx_irq ?: -EINVAL; ++ return dev_err_probe(&pdev->dev, rc, + "could not get DMA TX irq\n"); ++ } + + if (temac_np) { + /* Retrieve the MAC address */ +-- +2.40.1 + diff --git a/queue-5.10/net-ll_temac-switch-to-use-dev_err_probe-helper.patch b/queue-5.10/net-ll_temac-switch-to-use-dev_err_probe-helper.patch new file mode 100644 index 00000000000..b70c813b33c --- /dev/null +++ b/queue-5.10/net-ll_temac-switch-to-use-dev_err_probe-helper.patch @@ -0,0 +1,50 @@ +From e8da7b159d4ac0d4a7b2d8e325ded5827f48de68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 19:42:14 +0800 +Subject: net: ll_temac: Switch to use dev_err_probe() helper + +From: Yang Yingliang + +[ Upstream commit 75ae8c284c00dc3584b7c173f6fcf96ee15bd02c ] + +dev_err() can be replace with dev_err_probe() which will check if error +code is -EPROBE_DEFER. + +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Stable-dep-of: ef45e8400f5b ("net: ll_temac: fix error checking of irq_of_parse_and_map()") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/ll_temac_main.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index 130f4b707bdc4..2f27e93370c6c 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -1550,16 +1550,12 @@ static int temac_probe(struct platform_device *pdev) + } + + /* Error handle returned DMA RX and TX interrupts */ +- if (lp->rx_irq < 0) { +- if (lp->rx_irq != -EPROBE_DEFER) +- dev_err(&pdev->dev, "could not get DMA RX irq\n"); +- return lp->rx_irq; +- } +- if (lp->tx_irq < 0) { +- if (lp->tx_irq != -EPROBE_DEFER) +- dev_err(&pdev->dev, "could not get DMA TX irq\n"); +- return lp->tx_irq; +- } ++ if (lp->rx_irq < 0) ++ return dev_err_probe(&pdev->dev, lp->rx_irq, ++ "could not get DMA RX irq\n"); ++ if (lp->tx_irq < 0) ++ return dev_err_probe(&pdev->dev, lp->tx_irq, ++ "could not get DMA TX irq\n"); + + if (temac_np) { + /* Retrieve the MAC address */ +-- +2.40.1 + diff --git a/queue-5.10/net-mlx5-dr-fix-memory-leak-in-mlx5dr_cmd_create_ref.patch b/queue-5.10/net-mlx5-dr-fix-memory-leak-in-mlx5dr_cmd_create_ref.patch new file mode 100644 index 00000000000..6a89ff75bcc --- /dev/null +++ b/queue-5.10/net-mlx5-dr-fix-memory-leak-in-mlx5dr_cmd_create_ref.patch @@ -0,0 +1,44 @@ +From 90ef786908d55ed28606d310dc0fcd28d340df43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 20:15:27 +0800 +Subject: net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx + +From: Zhengchao Shao + +[ Upstream commit 5dd77585dd9d0e03dd1bceb95f0269a7eaf6b936 ] + +when mlx5_cmd_exec failed in mlx5dr_cmd_create_reformat_ctx, the memory +pointed by 'in' is not released, which will cause memory leak. Move memory +release after mlx5_cmd_exec. + +Fixes: 1d9186476e12 ("net/mlx5: DR, Add direct rule command utilities") +Signed-off-by: Zhengchao Shao +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +index fd56cae0d54fc..4549840fb91ad 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +@@ -425,11 +425,12 @@ int mlx5dr_cmd_create_reformat_ctx(struct mlx5_core_dev *mdev, + + err = mlx5_cmd_exec(mdev, in, inlen, out, sizeof(out)); + if (err) +- return err; ++ goto err_free_in; + + *reformat_id = MLX5_GET(alloc_packet_reformat_context_out, out, packet_reformat_id); +- kvfree(in); + ++err_free_in: ++ kvfree(in); + return err; + } + +-- +2.40.1 + diff --git a/queue-5.10/net-mlx5-fs_core-make-find_closest_ft-more-generic.patch b/queue-5.10/net-mlx5-fs_core-make-find_closest_ft-more-generic.patch new file mode 100644 index 00000000000..b0d8503ba12 --- /dev/null +++ b/queue-5.10/net-mlx5-fs_core-make-find_closest_ft-more-generic.patch @@ -0,0 +1,120 @@ +From f47513fbc593630516c60adc3976806d1db5873a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 14:58:40 +0300 +Subject: net/mlx5: fs_core: Make find_closest_ft more generic + +From: Jianbo Liu + +[ Upstream commit 618d28a535a0582617465d14e05f3881736a2962 ] + +As find_closest_ft_recursive is called to find the closest FT, the +first parameter of find_closest_ft can be changed from fs_prio to +fs_node. Thus this function is extended to find the closest FT for the +nodes of any type, not only prios, but also the sub namespaces. + +Signed-off-by: Jianbo Liu +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/d3962c2b443ec8dde7a740dc742a1f052d5e256c.1690803944.git.leonro@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: c635ca45a7a2 ("net/mlx5: fs_core: Skip the FTs in the same FS_TYPE_PRIO_CHAINS fs_prio") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/fs_core.c | 29 +++++++++---------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 4bdcceffe9d38..692fe3e5d0763 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -818,18 +818,17 @@ static struct mlx5_flow_table *find_closest_ft_recursive(struct fs_node *root, + return ft; + } + +-/* If reverse is false then return the first flow table in next priority of +- * prio in the tree, else return the last flow table in the previous priority +- * of prio in the tree. ++/* If reverse is false then return the first flow table next to the passed node ++ * in the tree, else return the last flow table before the node in the tree. + */ +-static struct mlx5_flow_table *find_closest_ft(struct fs_prio *prio, bool reverse) ++static struct mlx5_flow_table *find_closest_ft(struct fs_node *node, bool reverse) + { + struct mlx5_flow_table *ft = NULL; + struct fs_node *curr_node; + struct fs_node *parent; + +- parent = prio->node.parent; +- curr_node = &prio->node; ++ parent = node->parent; ++ curr_node = node; + while (!ft && parent) { + ft = find_closest_ft_recursive(parent, &curr_node->list, reverse); + curr_node = parent; +@@ -839,15 +838,15 @@ static struct mlx5_flow_table *find_closest_ft(struct fs_prio *prio, bool revers + } + + /* Assuming all the tree is locked by mutex chain lock */ +-static struct mlx5_flow_table *find_next_chained_ft(struct fs_prio *prio) ++static struct mlx5_flow_table *find_next_chained_ft(struct fs_node *node) + { +- return find_closest_ft(prio, false); ++ return find_closest_ft(node, false); + } + + /* Assuming all the tree is locked by mutex chain lock */ +-static struct mlx5_flow_table *find_prev_chained_ft(struct fs_prio *prio) ++static struct mlx5_flow_table *find_prev_chained_ft(struct fs_node *node) + { +- return find_closest_ft(prio, true); ++ return find_closest_ft(node, true); + } + + static struct mlx5_flow_table *find_next_fwd_ft(struct mlx5_flow_table *ft, +@@ -859,7 +858,7 @@ static struct mlx5_flow_table *find_next_fwd_ft(struct mlx5_flow_table *ft, + next_ns = flow_act->action & MLX5_FLOW_CONTEXT_ACTION_FWD_NEXT_NS; + fs_get_obj(prio, next_ns ? ft->ns->node.parent : ft->node.parent); + +- return find_next_chained_ft(prio); ++ return find_next_chained_ft(&prio->node); + } + + static int connect_fts_in_prio(struct mlx5_core_dev *dev, +@@ -890,7 +889,7 @@ static int connect_prev_fts(struct mlx5_core_dev *dev, + { + struct mlx5_flow_table *prev_ft; + +- prev_ft = find_prev_chained_ft(prio); ++ prev_ft = find_prev_chained_ft(&prio->node); + if (prev_ft) { + struct fs_prio *prev_prio; + +@@ -1036,7 +1035,7 @@ static int connect_flow_table(struct mlx5_core_dev *dev, struct mlx5_flow_table + if (err) + return err; + +- next_ft = first_ft ? first_ft : find_next_chained_ft(prio); ++ next_ft = first_ft ? first_ft : find_next_chained_ft(&prio->node); + err = connect_fwd_rules(dev, ft, next_ft); + if (err) + return err; +@@ -1114,7 +1113,7 @@ static struct mlx5_flow_table *__mlx5_create_flow_table(struct mlx5_flow_namespa + tree_init_node(&ft->node, del_hw_flow_table, del_sw_flow_table); + log_table_sz = ft->max_fte ? ilog2(ft->max_fte) : 0; + next_ft = unmanaged ? ft_attr->next_ft : +- find_next_chained_ft(fs_prio); ++ find_next_chained_ft(&fs_prio->node); + ft->def_miss_action = ns->def_miss_action; + ft->ns = ns; + err = root->cmds->create_flow_table(root, ft, log_table_sz, next_ft); +@@ -2079,7 +2078,7 @@ static struct mlx5_flow_table *find_next_ft(struct mlx5_flow_table *ft) + + if (!list_is_last(&ft->node.list, &prio->node.children)) + return list_next_entry(ft, node.list); +- return find_next_chained_ft(prio); ++ return find_next_chained_ft(&prio->node); + } + + static int update_root_ft_destroy(struct mlx5_flow_table *ft) +-- +2.40.1 + diff --git a/queue-5.10/net-mlx5-fs_core-skip-the-fts-in-the-same-fs_type_pr.patch b/queue-5.10/net-mlx5-fs_core-skip-the-fts-in-the-same-fs_type_pr.patch new file mode 100644 index 00000000000..9a62f318285 --- /dev/null +++ b/queue-5.10/net-mlx5-fs_core-skip-the-fts-in-the-same-fs_type_pr.patch @@ -0,0 +1,196 @@ +From 71783719f935285a0ffd522d1b79aea9c844ba90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 14:58:41 +0300 +Subject: net/mlx5: fs_core: Skip the FTs in the same FS_TYPE_PRIO_CHAINS + fs_prio + +From: Jianbo Liu + +[ Upstream commit c635ca45a7a2023904a1f851e99319af7b87017d ] + +In the cited commit, new type of FS_TYPE_PRIO_CHAINS fs_prio was added +to support multiple parallel namespaces for multi-chains. And we skip +all the flow tables under the fs_node of this type unconditionally, +when searching for the next or previous flow table to connect for a +new table. + +As this search function is also used for find new root table when the +old one is being deleted, it will skip the entire FS_TYPE_PRIO_CHAINS +fs_node next to the old root. However, new root table should be chosen +from it if there is any table in it. Fix it by skipping only the flow +tables in the same FS_TYPE_PRIO_CHAINS fs_node when finding the +closest FT for a fs_node. + +Besides, complete the connecting from FTs of previous priority of prio +because there should be multiple prevs after this fs_prio type is +introduced. And also the next FT should be chosen from the first flow +table next to the prio in the same FS_TYPE_PRIO_CHAINS fs_prio, if +this prio is the first child. + +Fixes: 328edb499f99 ("net/mlx5: Split FDB fast path prio to multiple namespaces") +Signed-off-by: Jianbo Liu +Reviewed-by: Paul Blakey +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/7a95754df479e722038996c97c97b062b372591f.1690803944.git.leonro@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/fs_core.c | 80 +++++++++++++++++-- + 1 file changed, 72 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 692fe3e5d0763..4e8e3797aed08 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -802,7 +802,7 @@ static struct mlx5_flow_table *find_closest_ft_recursive(struct fs_node *root, + struct fs_node *iter = list_entry(start, struct fs_node, list); + struct mlx5_flow_table *ft = NULL; + +- if (!root || root->type == FS_TYPE_PRIO_CHAINS) ++ if (!root) + return NULL; + + list_for_each_advance_continue(iter, &root->children, reverse) { +@@ -818,19 +818,42 @@ static struct mlx5_flow_table *find_closest_ft_recursive(struct fs_node *root, + return ft; + } + ++static struct fs_node *find_prio_chains_parent(struct fs_node *parent, ++ struct fs_node **child) ++{ ++ struct fs_node *node = NULL; ++ ++ while (parent && parent->type != FS_TYPE_PRIO_CHAINS) { ++ node = parent; ++ parent = parent->parent; ++ } ++ ++ if (child) ++ *child = node; ++ ++ return parent; ++} ++ + /* If reverse is false then return the first flow table next to the passed node + * in the tree, else return the last flow table before the node in the tree. ++ * If skip is true, skip the flow tables in the same prio_chains prio. + */ +-static struct mlx5_flow_table *find_closest_ft(struct fs_node *node, bool reverse) ++static struct mlx5_flow_table *find_closest_ft(struct fs_node *node, bool reverse, ++ bool skip) + { ++ struct fs_node *prio_chains_parent = NULL; + struct mlx5_flow_table *ft = NULL; + struct fs_node *curr_node; + struct fs_node *parent; + ++ if (skip) ++ prio_chains_parent = find_prio_chains_parent(node, NULL); + parent = node->parent; + curr_node = node; + while (!ft && parent) { +- ft = find_closest_ft_recursive(parent, &curr_node->list, reverse); ++ if (parent != prio_chains_parent) ++ ft = find_closest_ft_recursive(parent, &curr_node->list, ++ reverse); + curr_node = parent; + parent = curr_node->parent; + } +@@ -840,13 +863,13 @@ static struct mlx5_flow_table *find_closest_ft(struct fs_node *node, bool revers + /* Assuming all the tree is locked by mutex chain lock */ + static struct mlx5_flow_table *find_next_chained_ft(struct fs_node *node) + { +- return find_closest_ft(node, false); ++ return find_closest_ft(node, false, true); + } + + /* Assuming all the tree is locked by mutex chain lock */ + static struct mlx5_flow_table *find_prev_chained_ft(struct fs_node *node) + { +- return find_closest_ft(node, true); ++ return find_closest_ft(node, true, true); + } + + static struct mlx5_flow_table *find_next_fwd_ft(struct mlx5_flow_table *ft, +@@ -882,21 +905,55 @@ static int connect_fts_in_prio(struct mlx5_core_dev *dev, + return 0; + } + ++static struct mlx5_flow_table *find_closet_ft_prio_chains(struct fs_node *node, ++ struct fs_node *parent, ++ struct fs_node **child, ++ bool reverse) ++{ ++ struct mlx5_flow_table *ft; ++ ++ ft = find_closest_ft(node, reverse, false); ++ ++ if (ft && parent == find_prio_chains_parent(&ft->node, child)) ++ return ft; ++ ++ return NULL; ++} ++ + /* Connect flow tables from previous priority of prio to ft */ + static int connect_prev_fts(struct mlx5_core_dev *dev, + struct mlx5_flow_table *ft, + struct fs_prio *prio) + { ++ struct fs_node *prio_parent, *parent = NULL, *child, *node; + struct mlx5_flow_table *prev_ft; ++ int err = 0; ++ ++ prio_parent = find_prio_chains_parent(&prio->node, &child); ++ ++ /* return directly if not under the first sub ns of prio_chains prio */ ++ if (prio_parent && !list_is_first(&child->list, &prio_parent->children)) ++ return 0; + + prev_ft = find_prev_chained_ft(&prio->node); +- if (prev_ft) { ++ while (prev_ft) { + struct fs_prio *prev_prio; + + fs_get_obj(prev_prio, prev_ft->node.parent); +- return connect_fts_in_prio(dev, prev_prio, ft); ++ err = connect_fts_in_prio(dev, prev_prio, ft); ++ if (err) ++ break; ++ ++ if (!parent) { ++ parent = find_prio_chains_parent(&prev_prio->node, &child); ++ if (!parent) ++ break; ++ } ++ ++ node = child; ++ prev_ft = find_closet_ft_prio_chains(node, parent, &child, true); + } +- return 0; ++ return err; + } + + static int update_root_ft_create(struct mlx5_flow_table *ft, struct fs_prio +@@ -2072,12 +2129,19 @@ EXPORT_SYMBOL(mlx5_del_flow_rules); + /* Assuming prio->node.children(flow tables) is sorted by level */ + static struct mlx5_flow_table *find_next_ft(struct mlx5_flow_table *ft) + { ++ struct fs_node *prio_parent, *child; + struct fs_prio *prio; + + fs_get_obj(prio, ft->node.parent); + + if (!list_is_last(&ft->node.list, &prio->node.children)) + return list_next_entry(ft, node.list); ++ ++ prio_parent = find_prio_chains_parent(&prio->node, &child); ++ ++ if (prio_parent && list_is_first(&child->list, &prio_parent->children)) ++ return find_closest_ft(&prio->node, false, false); ++ + return find_next_chained_ft(&prio->node); + } + +-- +2.40.1 + diff --git a/queue-5.10/net-mlx5e-fix-return-value-check-in-mlx5e_ipsec_remo.patch b/queue-5.10/net-mlx5e-fix-return-value-check-in-mlx5e_ipsec_remo.patch new file mode 100644 index 00000000000..1c11879121f --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-return-value-check-in-mlx5e_ipsec_remo.patch @@ -0,0 +1,39 @@ +From 74bfad4a993b37dcaae8828b646d54903c561c50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 14:56:55 +0800 +Subject: net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer() + +From: Yuanjun Gong + +[ Upstream commit e5bcb7564d3bd0c88613c76963c5349be9c511c5 ] + +mlx5e_ipsec_remove_trailer() should return an error code if function +pskb_trim() returns an unexpected value. + +Fixes: 2ac9cfe78223 ("net/mlx5e: IPSec, Add Innova IPSec offload TX data path") +Signed-off-by: Yuanjun Gong +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c +index a9b45606dbdb7..76ef8a009d6e8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c +@@ -121,7 +121,9 @@ static int mlx5e_ipsec_remove_trailer(struct sk_buff *skb, struct xfrm_state *x) + + trailer_len = alen + plen + 2; + +- pskb_trim(skb, skb->len - trailer_len); ++ ret = pskb_trim(skb, skb->len - trailer_len); ++ if (unlikely(ret)) ++ return ret; + if (skb->protocol == htons(ETH_P_IP)) { + ipv4hdr->tot_len = htons(ntohs(ipv4hdr->tot_len) - trailer_len); + ip_send_check(ipv4hdr); +-- +2.40.1 + diff --git a/queue-5.10/net-netsec-ignore-phy-mode-on-synquacer-in-dt-mode.patch b/queue-5.10/net-netsec-ignore-phy-mode-on-synquacer-in-dt-mode.patch new file mode 100644 index 00000000000..4bf1203cf5a --- /dev/null +++ b/queue-5.10/net-netsec-ignore-phy-mode-on-synquacer-in-dt-mode.patch @@ -0,0 +1,61 @@ +From 679a1100023f54d701bb8cd79d6e1c65454cdcf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 11:48:32 +0100 +Subject: net: netsec: Ignore 'phy-mode' on SynQuacer in DT mode + +From: Mark Brown + +[ Upstream commit f3bb7759a924713bc54d15f6d0d70733b5935fad ] + +As documented in acd7aaf51b20 ("netsec: ignore 'phy-mode' device +property on ACPI systems") the SocioNext SynQuacer platform ships with +firmware defining the PHY mode as RGMII even though the physical +configuration of the PHY is for TX and RX delays. Since bbc4d71d63549bc +("net: phy: realtek: fix rtl8211e rx/tx delay config") this has caused +misconfiguration of the PHY, rendering the network unusable. + +This was worked around for ACPI by ignoring the phy-mode property but +the system is also used with DT. For DT instead if we're running on a +SynQuacer force a working PHY mode, as well as the standard EDK2 +firmware with DT there are also some of these systems that use u-boot +and might not initialise the PHY if not netbooting. Newer firmware +imagaes for at least EDK2 are available from Linaro so print a warning +when doing this. + +Fixes: 533dd11a12f6 ("net: socionext: Add Synquacer NetSec driver") +Signed-off-by: Mark Brown +Acked-by: Ard Biesheuvel +Acked-by: Ilias Apalodimas +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230731-synquacer-net-v3-1-944be5f06428@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/socionext/netsec.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/net/ethernet/socionext/netsec.c b/drivers/net/ethernet/socionext/netsec.c +index b9acee214bb6a..bb86315581818 100644 +--- a/drivers/net/ethernet/socionext/netsec.c ++++ b/drivers/net/ethernet/socionext/netsec.c +@@ -1845,6 +1845,17 @@ static int netsec_of_probe(struct platform_device *pdev, + return err; + } + ++ /* ++ * SynQuacer is physically configured with TX and RX delays ++ * but the standard firmware claimed otherwise for a long ++ * time, ignore it. ++ */ ++ if (of_machine_is_compatible("socionext,developer-box") && ++ priv->phy_interface != PHY_INTERFACE_MODE_RGMII_ID) { ++ dev_warn(&pdev->dev, "Outdated firmware reports incorrect PHY mode, overriding\n"); ++ priv->phy_interface = PHY_INTERFACE_MODE_RGMII_ID; ++ } ++ + priv->phy_np = of_parse_phandle(pdev->dev.of_node, "phy-handle", 0); + if (!priv->phy_np) { + dev_err(&pdev->dev, "missing required property 'phy-handle'\n"); +-- +2.40.1 + diff --git a/queue-5.10/net-sched-cls_fw-no-longer-copy-tcf_result-on-update.patch b/queue-5.10/net-sched-cls_fw-no-longer-copy-tcf_result-on-update.patch new file mode 100644 index 00000000000..39146517276 --- /dev/null +++ b/queue-5.10/net-sched-cls_fw-no-longer-copy-tcf_result-on-update.patch @@ -0,0 +1,50 @@ +From f9ffebc11a605d22895610dcea1370a07f05a00f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Jul 2023 08:32:01 -0400 +Subject: net/sched: cls_fw: No longer copy tcf_result on update to avoid + use-after-free + +From: valis + +[ Upstream commit 76e42ae831991c828cffa8c37736ebfb831ad5ec ] + +When fw_change() is called on an existing filter, the whole +tcf_result struct is always copied into the new instance of the filter. + +This causes a problem when updating a filter bound to a class, +as tcf_unbind_filter() is always called on the old instance in the +success path, decreasing filter_cnt of the still referenced class +and allowing it to be deleted, leading to a use-after-free. + +Fix this by no longer copying the tcf_result struct from the old filter. + +Fixes: e35a8ee5993b ("net: sched: fw use RCU") +Reported-by: valis +Reported-by: Bing-Jhong Billy Jheng +Signed-off-by: valis +Signed-off-by: Jamal Hadi Salim +Reviewed-by: Victor Nogueira +Reviewed-by: Pedro Tammela +Reviewed-by: M A Ramdhan +Link: https://lore.kernel.org/r/20230729123202.72406-3-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_fw.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c +index 41f0898a5a565..08c41f1976c47 100644 +--- a/net/sched/cls_fw.c ++++ b/net/sched/cls_fw.c +@@ -266,7 +266,6 @@ static int fw_change(struct net *net, struct sk_buff *in_skb, + return -ENOBUFS; + + fnew->id = f->id; +- fnew->res = f->res; + fnew->ifindex = f->ifindex; + fnew->tp = f->tp; + +-- +2.40.1 + diff --git a/queue-5.10/net-sched-cls_route-no-longer-copy-tcf_result-on-upd.patch b/queue-5.10/net-sched-cls_route-no-longer-copy-tcf_result-on-upd.patch new file mode 100644 index 00000000000..30daff99a62 --- /dev/null +++ b/queue-5.10/net-sched-cls_route-no-longer-copy-tcf_result-on-upd.patch @@ -0,0 +1,50 @@ +From 16877fdf163c289e4050192caafd5b6e131cb76e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Jul 2023 08:32:02 -0400 +Subject: net/sched: cls_route: No longer copy tcf_result on update to avoid + use-after-free + +From: valis + +[ Upstream commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 ] + +When route4_change() is called on an existing filter, the whole +tcf_result struct is always copied into the new instance of the filter. + +This causes a problem when updating a filter bound to a class, +as tcf_unbind_filter() is always called on the old instance in the +success path, decreasing filter_cnt of the still referenced class +and allowing it to be deleted, leading to a use-after-free. + +Fix this by no longer copying the tcf_result struct from the old filter. + +Fixes: 1109c00547fc ("net: sched: RCU cls_route") +Reported-by: valis +Reported-by: Bing-Jhong Billy Jheng +Signed-off-by: valis +Signed-off-by: Jamal Hadi Salim +Reviewed-by: Victor Nogueira +Reviewed-by: Pedro Tammela +Reviewed-by: M A Ramdhan +Link: https://lore.kernel.org/r/20230729123202.72406-4-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_route.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c +index b775e681cb56e..1ad4b3e60eb3b 100644 +--- a/net/sched/cls_route.c ++++ b/net/sched/cls_route.c +@@ -511,7 +511,6 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, + if (fold) { + f->id = fold->id; + f->iif = fold->iif; +- f->res = fold->res; + f->handle = fold->handle; + + f->tp = fold->tp; +-- +2.40.1 + diff --git a/queue-5.10/net-sched-cls_u32-fix-match-key-mis-addressing.patch b/queue-5.10/net-sched-cls_u32-fix-match-key-mis-addressing.patch new file mode 100644 index 00000000000..ac95153e737 --- /dev/null +++ b/queue-5.10/net-sched-cls_u32-fix-match-key-mis-addressing.patch @@ -0,0 +1,145 @@ +From 99f07e764eb257d31a00786f311e9b02dc122d0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 09:51:51 -0400 +Subject: net: sched: cls_u32: Fix match key mis-addressing + +From: Jamal Hadi Salim + +[ Upstream commit e68409db995380d1badacba41ff24996bd396171 ] + +A match entry is uniquely identified with an "address" or "path" in the +form of: hashtable ID(12b):bucketid(8b):nodeid(12b). + +When creating table match entries all of hash table id, bucket id and +node (match entry id) are needed to be either specified by the user or +reasonable in-kernel defaults are used. The in-kernel default for a table id is +0x800(omnipresent root table); for bucketid it is 0x0. Prior to this fix there +was none for a nodeid i.e. the code assumed that the user passed the correct +nodeid and if the user passes a nodeid of 0 (as Mingi Cho did) then that is what +was used. But nodeid of 0 is reserved for identifying the table. This is not +a problem until we dump. The dump code notices that the nodeid is zero and +assumes it is referencing a table and therefore references table struct +tc_u_hnode instead of what was created i.e match entry struct tc_u_knode. + +Ming does an equivalent of: +tc filter add dev dummy0 parent 10: prio 1 handle 0x1000 \ +protocol ip u32 match ip src 10.0.0.1/32 classid 10:1 action ok + +Essentially specifying a table id 0, bucketid 1 and nodeid of zero +Tableid 0 is remapped to the default of 0x800. +Bucketid 1 is ignored and defaults to 0x00. +Nodeid was assumed to be what Ming passed - 0x000 + +dumping before fix shows: +~$ tc filter ls dev dummy0 parent 10: +filter protocol ip pref 1 u32 chain 0 +filter protocol ip pref 1 u32 chain 0 fh 800: ht divisor 1 +filter protocol ip pref 1 u32 chain 0 fh 800: ht divisor -30591 + +Note that the last line reports a table instead of a match entry +(you can tell this because it says "ht divisor..."). +As a result of reporting the wrong data type (misinterpretting of struct +tc_u_knode as being struct tc_u_hnode) the divisor is reported with value +of -30591. Ming identified this as part of the heap address +(physmap_base is 0xffff8880 (-30591 - 1)). + +The fix is to ensure that when table entry matches are added and no +nodeid is specified (i.e nodeid == 0) then we get the next available +nodeid from the table's pool. + +After the fix, this is what the dump shows: +$ tc filter ls dev dummy0 parent 10: +filter protocol ip pref 1 u32 chain 0 +filter protocol ip pref 1 u32 chain 0 fh 800: ht divisor 1 +filter protocol ip pref 1 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 10:1 not_in_hw + match 0a000001/ffffffff at 12 + action order 1: gact action pass + random type none pass val 0 + index 1 ref 1 bind 1 + +Reported-by: Mingi Cho +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230726135151.416917-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 56 ++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 50 insertions(+), 6 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 1ac8ff445a6d3..04e933530cade 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -999,18 +999,62 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + return -EINVAL; + } + ++ /* At this point, we need to derive the new handle that will be used to ++ * uniquely map the identity of this table match entry. The ++ * identity of the entry that we need to construct is 32 bits made of: ++ * htid(12b):bucketid(8b):node/entryid(12b) ++ * ++ * At this point _we have the table(ht)_ in which we will insert this ++ * entry. We carry the table's id in variable "htid". ++ * Note that earlier code picked the ht selection either by a) the user ++ * providing the htid specified via TCA_U32_HASH attribute or b) when ++ * no such attribute is passed then the root ht, is default to at ID ++ * 0x[800][00][000]. Rule: the root table has a single bucket with ID 0. ++ * If OTOH the user passed us the htid, they may also pass a bucketid of ++ * choice. 0 is fine. For example a user htid is 0x[600][01][000] it is ++ * indicating hash bucketid of 1. Rule: the entry/node ID _cannot_ be ++ * passed via the htid, so even if it was non-zero it will be ignored. ++ * ++ * We may also have a handle, if the user passed one. The handle also ++ * carries the same addressing of htid(12b):bucketid(8b):node/entryid(12b). ++ * Rule: the bucketid on the handle is ignored even if one was passed; ++ * rather the value on "htid" is always assumed to be the bucketid. ++ */ + if (handle) { ++ /* Rule: The htid from handle and tableid from htid must match */ + if (TC_U32_HTID(handle) && TC_U32_HTID(handle ^ htid)) { + NL_SET_ERR_MSG_MOD(extack, "Handle specified hash table address mismatch"); + return -EINVAL; + } +- handle = htid | TC_U32_NODE(handle); +- err = idr_alloc_u32(&ht->handle_idr, NULL, &handle, handle, +- GFP_KERNEL); +- if (err) +- return err; +- } else ++ /* Ok, so far we have a valid htid(12b):bucketid(8b) but we ++ * need to finalize the table entry identification with the last ++ * part - the node/entryid(12b)). Rule: Nodeid _cannot be 0_ for ++ * entries. Rule: nodeid of 0 is reserved only for tables(see ++ * earlier code which processes TC_U32_DIVISOR attribute). ++ * Rule: The nodeid can only be derived from the handle (and not ++ * htid). ++ * Rule: if the handle specified zero for the node id example ++ * 0x60000000, then pick a new nodeid from the pool of IDs ++ * this hash table has been allocating from. ++ * If OTOH it is specified (i.e for example the user passed a ++ * handle such as 0x60000123), then we use it generate our final ++ * handle which is used to uniquely identify the match entry. ++ */ ++ if (!TC_U32_NODE(handle)) { ++ handle = gen_new_kid(ht, htid); ++ } else { ++ handle = htid | TC_U32_NODE(handle); ++ err = idr_alloc_u32(&ht->handle_idr, NULL, &handle, ++ handle, GFP_KERNEL); ++ if (err) ++ return err; ++ } ++ } else { ++ /* The user did not give us a handle; lets just generate one ++ * from the table's pool of nodeids. ++ */ + handle = gen_new_kid(ht, htid); ++ } + + if (tb[TCA_U32_SEL] == NULL) { + NL_SET_ERR_MSG_MOD(extack, "Selector not specified"); +-- +2.40.1 + diff --git a/queue-5.10/net-sched-cls_u32-no-longer-copy-tcf_result-on-updat.patch b/queue-5.10/net-sched-cls_u32-no-longer-copy-tcf_result-on-updat.patch new file mode 100644 index 00000000000..06fc46f2840 --- /dev/null +++ b/queue-5.10/net-sched-cls_u32-no-longer-copy-tcf_result-on-updat.patch @@ -0,0 +1,50 @@ +From 6f434a1525fbe9ca78811a00ae281757e92f8598 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Jul 2023 08:32:00 -0400 +Subject: net/sched: cls_u32: No longer copy tcf_result on update to avoid + use-after-free + +From: valis + +[ Upstream commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 ] + +When u32_change() is called on an existing filter, the whole +tcf_result struct is always copied into the new instance of the filter. + +This causes a problem when updating a filter bound to a class, +as tcf_unbind_filter() is always called on the old instance in the +success path, decreasing filter_cnt of the still referenced class +and allowing it to be deleted, leading to a use-after-free. + +Fix this by no longer copying the tcf_result struct from the old filter. + +Fixes: de5df63228fc ("net: sched: cls_u32 changes to knode must appear atomic to readers") +Reported-by: valis +Reported-by: M A Ramdhan +Signed-off-by: valis +Signed-off-by: Jamal Hadi Salim +Reviewed-by: Victor Nogueira +Reviewed-by: Pedro Tammela +Reviewed-by: M A Ramdhan +Link: https://lore.kernel.org/r/20230729123202.72406-2-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 04e933530cade..b2d2ba561eba1 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -812,7 +812,6 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp, + + new->ifindex = n->ifindex; + new->fshift = n->fshift; +- new->res = n->res; + new->flags = n->flags; + RCU_INIT_POINTER(new->ht_down, ht); + +-- +2.40.1 + diff --git a/queue-5.10/perf-test-uprobe_from_different_cu-skip-if-there-is-.patch b/queue-5.10/perf-test-uprobe_from_different_cu-skip-if-there-is-.patch new file mode 100644 index 00000000000..58899ad5f78 --- /dev/null +++ b/queue-5.10/perf-test-uprobe_from_different_cu-skip-if-there-is-.patch @@ -0,0 +1,66 @@ +From facf5a6715a57a28a270f544b41340a157955104 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 17:18:12 +0200 +Subject: perf test uprobe_from_different_cu: Skip if there is no gcc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Georg Müller + +[ Upstream commit 98ce8e4a9dcfb448b30a2d7a16190f4a00382377 ] + +Without gcc, the test will fail. + +On cleanup, ignore probe removal errors. Otherwise, in case of an error +adding the probe, the temporary directory is not removed. + +Fixes: 56cbeacf14353057 ("perf probe: Add test for regression introduced by switch to die_get_decl_file()") +Signed-off-by: Georg Müller +Acked-by: Ian Rogers +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Georg Müller +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20230728151812.454806-2-georgmueller@gmx.net +Link: https://lore.kernel.org/r/CAP-5=fUP6UuLgRty3t2=fQsQi3k4hDMz415vWdp1x88QMvZ8ug@mail.gmail.com/ +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/tests/shell/test_uprobe_from_different_cu.sh b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh +index 00d2e0e2e0c28..319f36ebb9a40 100644 +--- a/tools/perf/tests/shell/test_uprobe_from_different_cu.sh ++++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh +@@ -4,6 +4,12 @@ + + set -e + ++# skip if there's no gcc ++if ! [ -x "$(command -v gcc)" ]; then ++ echo "failed: no gcc compiler" ++ exit 2 ++fi ++ + temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) + + cleanup() +@@ -11,7 +17,7 @@ cleanup() + trap - EXIT TERM INT + if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then + echo "--- Cleaning up ---" +- perf probe -x ${temp_dir}/testfile -d foo ++ perf probe -x ${temp_dir}/testfile -d foo || true + rm -f "${temp_dir}/"* + rmdir "${temp_dir}" + fi +-- +2.40.1 + diff --git a/queue-5.10/rtnetlink-let-rtnl_bridge_setlink-checks-ifla_bridge.patch b/queue-5.10/rtnetlink-let-rtnl_bridge_setlink-checks-ifla_bridge.patch new file mode 100644 index 00000000000..f90d655622f --- /dev/null +++ b/queue-5.10/rtnetlink-let-rtnl_bridge_setlink-checks-ifla_bridge.patch @@ -0,0 +1,66 @@ +From 532dc16e51b73b9784dcc70e041a29a501b53626 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 15:53:14 +0800 +Subject: rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length + +From: Lin Ma + +[ Upstream commit d73ef2d69c0dba5f5a1cb9600045c873bab1fb7f ] + +There are totally 9 ndo_bridge_setlink handlers in the current kernel, +which are 1) bnxt_bridge_setlink, 2) be_ndo_bridge_setlink 3) +i40e_ndo_bridge_setlink 4) ice_bridge_setlink 5) +ixgbe_ndo_bridge_setlink 6) mlx5e_bridge_setlink 7) +nfp_net_bridge_setlink 8) qeth_l2_bridge_setlink 9) br_setlink. + +By investigating the code, we find that 1-7 parse and use nlattr +IFLA_BRIDGE_MODE but 3 and 4 forget to do the nla_len check. This can +lead to an out-of-attribute read and allow a malformed nlattr (e.g., +length 0) to be viewed as a 2 byte integer. + +To avoid such issues, also for other ndo_bridge_setlink handlers in the +future. This patch adds the nla_len check in rtnl_bridge_setlink and +does an early error return if length mismatches. To make it works, the +break is removed from the parsing for IFLA_BRIDGE_FLAGS to make sure +this nla_for_each_nested iterates every attribute. + +Fixes: b1edc14a3fbf ("ice: Implement ice_bridge_getlink and ice_bridge_setlink") +Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops") +Suggested-by: Jakub Kicinski +Signed-off-by: Lin Ma +Acked-by: Nikolay Aleksandrov +Reviewed-by: Hangbin Liu +Link: https://lore.kernel.org/r/20230726075314.1059224-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index d3c03ebf06a5b..ce37a052b9c32 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -4897,13 +4897,17 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, + br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC); + if (br_spec) { + nla_for_each_nested(attr, br_spec, rem) { +- if (nla_type(attr) == IFLA_BRIDGE_FLAGS) { ++ if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !have_flags) { + if (nla_len(attr) < sizeof(flags)) + return -EINVAL; + + have_flags = true; + flags = nla_get_u16(attr); +- break; ++ } ++ ++ if (nla_type(attr) == IFLA_BRIDGE_MODE) { ++ if (nla_len(attr) < sizeof(u16)) ++ return -EINVAL; + } + } + } +-- +2.40.1 + diff --git a/queue-5.10/s390-qeth-don-t-call-dev_close-dev_open-down-up.patch b/queue-5.10/s390-qeth-don-t-call-dev_close-dev_open-down-up.patch new file mode 100644 index 00000000000..e41528ae767 --- /dev/null +++ b/queue-5.10/s390-qeth-don-t-call-dev_close-dev_open-down-up.patch @@ -0,0 +1,104 @@ +From 3d5b5b64566798bd4040f51cb51eb49098e59c03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 10:00:16 +0200 +Subject: s390/qeth: Don't call dev_close/dev_open (DOWN/UP) + +From: Alexandra Winter + +[ Upstream commit 1cfef80d4c2b2c599189f36f36320b205d9447d9 ] + +dev_close() and dev_open() are issued to change the interface state to DOWN +or UP (dev->flags IFF_UP). When the netdev is set DOWN it loses e.g its +Ipv6 addresses and routes. We don't want this in cases of device recovery +(triggered by hardware or software) or when the qeth device is set +offline. + +Setting a qeth device offline or online and device recovery actions call +netif_device_detach() and/or netif_device_attach(). That will reset or +set the LOWER_UP indication i.e. change the dev->state Bit +__LINK_STATE_PRESENT. That is enough to e.g. cause bond failovers, and +still preserves the interface settings that are handled by the network +stack. + +Don't call dev_open() nor dev_close() from the qeth device driver. Let the +network stack handle this. + +Fixes: d4560150cb47 ("s390/qeth: call dev_close() during recovery") +Signed-off-by: Alexandra Winter +Reviewed-by: Wenjia Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_core.h | 1 - + drivers/s390/net/qeth_core_main.c | 2 -- + drivers/s390/net/qeth_l2_main.c | 9 ++++++--- + drivers/s390/net/qeth_l3_main.c | 8 +++++--- + 4 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h +index bf8404b0e74ff..2544edd4d2b56 100644 +--- a/drivers/s390/net/qeth_core.h ++++ b/drivers/s390/net/qeth_core.h +@@ -719,7 +719,6 @@ struct qeth_card_info { + u16 chid; + u8 ids_valid:1; /* cssid,iid,chid */ + u8 dev_addr_is_registered:1; +- u8 open_when_online:1; + u8 promisc_mode:1; + u8 use_v1_blkt:1; + u8 is_vm_nic:1; +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 7b0155b0e99ee..73d564906d043 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -5351,8 +5351,6 @@ int qeth_set_offline(struct qeth_card *card, const struct qeth_discipline *disc, + qeth_clear_ipacmd_list(card); + + rtnl_lock(); +- card->info.open_when_online = card->dev->flags & IFF_UP; +- dev_close(card->dev); + netif_device_detach(card->dev); + netif_carrier_off(card->dev); + rtnl_unlock(); +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index cfc931f2b7e2c..1797addf69b63 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -2270,9 +2270,12 @@ static int qeth_l2_set_online(struct qeth_card *card, bool carrier_ok) + qeth_enable_hw_features(dev); + qeth_l2_enable_brport_features(card); + +- if (card->info.open_when_online) { +- card->info.open_when_online = 0; +- dev_open(dev, NULL); ++ if (netif_running(dev)) { ++ local_bh_disable(); ++ napi_schedule(&card->napi); ++ /* kick-start the NAPI softirq: */ ++ local_bh_enable(); ++ qeth_l2_set_rx_mode(dev); + } + rtnl_unlock(); + } +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c +index 291861c9b9569..d8cdf90241268 100644 +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -2037,9 +2037,11 @@ static int qeth_l3_set_online(struct qeth_card *card, bool carrier_ok) + netif_device_attach(dev); + qeth_enable_hw_features(dev); + +- if (card->info.open_when_online) { +- card->info.open_when_online = 0; +- dev_open(dev, NULL); ++ if (netif_running(dev)) { ++ local_bh_disable(); ++ napi_schedule(&card->napi); ++ /* kick-start the NAPI softirq: */ ++ local_bh_enable(); + } + rtnl_unlock(); + } +-- +2.40.1 + diff --git a/queue-5.10/series b/queue-5.10/series index f6922dfe938..921dd078131 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -122,3 +122,40 @@ x86-kprobes-fix-jng-jnle-emulation.patch io_uring-gate-iowait-schedule-on-having-pending-requests.patch perf-fix-function-pointer-case.patch loop-select-i-o-scheduler-none-from-inside-add_disk.patch +arm64-dts-imx8mn-var-som-add-missing-pull-up-for-onb.patch +word-at-a-time-use-the-same-return-type-for-has_zero.patch +kvm-s390-fix-sthyi-error-handling.patch +wifi-cfg80211-fix-return-value-in-scan-logic.patch +net-mlx5-dr-fix-memory-leak-in-mlx5dr_cmd_create_ref.patch +net-mlx5e-fix-return-value-check-in-mlx5e_ipsec_remo.patch +bpf-add-length-check-for-sk_diag_bpf_storage_req_map.patch +rtnetlink-let-rtnl_bridge_setlink-checks-ifla_bridge.patch +net-dsa-fix-value-check-in-bcm_sf2_sw_probe.patch +perf-test-uprobe_from_different_cu-skip-if-there-is-.patch +net-sched-cls_u32-fix-match-key-mis-addressing.patch +misdn-hfcpci-fix-potential-deadlock-on-hc-lock.patch +net-annotate-data-races-around-sk-sk_max_pacing_rate.patch +net-add-missing-read_once-sk-sk_rcvlowat-annotation.patch +net-add-missing-read_once-sk-sk_sndbuf-annotation.patch +net-add-missing-read_once-sk-sk_rcvbuf-annotation.patch +net-add-missing-data-race-annotations-around-sk-sk_p.patch +net-add-missing-data-race-annotation-for-sk_ll_usec.patch +net-sched-cls_u32-no-longer-copy-tcf_result-on-updat.patch +net-sched-cls_fw-no-longer-copy-tcf_result-on-update.patch +net-sched-cls_route-no-longer-copy-tcf_result-on-upd.patch +bpf-sockmap-remove-preempt_disable-in-sock_map_sk_ac.patch +net-ll_temac-switch-to-use-dev_err_probe-helper.patch +net-ll_temac-fix-error-checking-of-irq_of_parse_and_.patch +net-netsec-ignore-phy-mode-on-synquacer-in-dt-mode.patch +net-dcb-choose-correct-policy-to-parse-dcb_attr_bcn.patch +s390-qeth-don-t-call-dev_close-dev_open-down-up.patch +ip6mr-fix-skb_under_panic-in-ip6mr_cache_report.patch +vxlan-fix-nexthop-hash-size.patch +net-mlx5-fs_core-make-find_closest_ft-more-generic.patch +net-mlx5-fs_core-skip-the-fts-in-the-same-fs_type_pr.patch +tcp_metrics-fix-addr_same-helper.patch +tcp_metrics-annotate-data-races-around-tm-tcpm_stamp.patch +tcp_metrics-annotate-data-races-around-tm-tcpm_lock.patch +tcp_metrics-annotate-data-races-around-tm-tcpm_vals.patch +tcp_metrics-annotate-data-races-around-tm-tcpm_net.patch +tcp_metrics-fix-data-race-in-tcpm_suck_dst-vs-fastop.patch diff --git a/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_lock.patch b/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_lock.patch new file mode 100644 index 00000000000..0b06eb88027 --- /dev/null +++ b/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_lock.patch @@ -0,0 +1,51 @@ +From b6b370dc9e30f7e155abfd3ac0c90cb000b3176a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:14:57 +0000 +Subject: tcp_metrics: annotate data-races around tm->tcpm_lock + +From: Eric Dumazet + +[ Upstream commit 285ce119a3c6c4502585936650143e54c8692788 ] + +tm->tcpm_lock can be read or written locklessly. + +Add needed READ_ONCE()/WRITE_ONCE() to document this. + +Fixes: 51c5d0c4b169 ("tcp: Maintain dynamic metrics in local cache.") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230802131500.1478140-4-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 20d2addddd16e..6617cba199826 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -59,7 +59,8 @@ static inline struct net *tm_net(struct tcp_metrics_block *tm) + static bool tcp_metric_locked(struct tcp_metrics_block *tm, + enum tcp_metric_index idx) + { +- return tm->tcpm_lock & (1 << idx); ++ /* Paired with WRITE_ONCE() in tcpm_suck_dst() */ ++ return READ_ONCE(tm->tcpm_lock) & (1 << idx); + } + + static u32 tcp_metric_get(struct tcp_metrics_block *tm, +@@ -110,7 +111,8 @@ static void tcpm_suck_dst(struct tcp_metrics_block *tm, + val |= 1 << TCP_METRIC_CWND; + if (dst_metric_locked(dst, RTAX_REORDERING)) + val |= 1 << TCP_METRIC_REORDERING; +- tm->tcpm_lock = val; ++ /* Paired with READ_ONCE() in tcp_metric_locked() */ ++ WRITE_ONCE(tm->tcpm_lock, val); + + msval = dst_metric_raw(dst, RTAX_RTT); + tm->tcpm_vals[TCP_METRIC_RTT] = msval * USEC_PER_MSEC; +-- +2.40.1 + diff --git a/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_net.patch b/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_net.patch new file mode 100644 index 00000000000..e02249f768b --- /dev/null +++ b/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_net.patch @@ -0,0 +1,66 @@ +From 98a10c8c5a35af4cc930f259d833a854879ef63a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:14:59 +0000 +Subject: tcp_metrics: annotate data-races around tm->tcpm_net + +From: Eric Dumazet + +[ Upstream commit d5d986ce42c71a7562d32c4e21e026b0f87befec ] + +tm->tcpm_net can be read or written locklessly. + +Instead of changing write_pnet() and read_pnet() and potentially +hurt performance, add the needed READ_ONCE()/WRITE_ONCE() +in tm_net() and tcpm_new(). + +Fixes: 849e8a0ca8d5 ("tcp_metrics: Add a field tcpm_net and verify it matches on lookup") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230802131500.1478140-6-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 6ea833474feb5..b01cc35407481 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -40,7 +40,7 @@ struct tcp_fastopen_metrics { + + struct tcp_metrics_block { + struct tcp_metrics_block __rcu *tcpm_next; +- possible_net_t tcpm_net; ++ struct net *tcpm_net; + struct inetpeer_addr tcpm_saddr; + struct inetpeer_addr tcpm_daddr; + unsigned long tcpm_stamp; +@@ -51,9 +51,10 @@ struct tcp_metrics_block { + struct rcu_head rcu_head; + }; + +-static inline struct net *tm_net(struct tcp_metrics_block *tm) ++static inline struct net *tm_net(const struct tcp_metrics_block *tm) + { +- return read_pnet(&tm->tcpm_net); ++ /* Paired with the WRITE_ONCE() in tcpm_new() */ ++ return READ_ONCE(tm->tcpm_net); + } + + static bool tcp_metric_locked(struct tcp_metrics_block *tm, +@@ -197,7 +198,9 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst, + if (!tm) + goto out_unlock; + } +- write_pnet(&tm->tcpm_net, net); ++ /* Paired with the READ_ONCE() in tm_net() */ ++ WRITE_ONCE(tm->tcpm_net, net); ++ + tm->tcpm_saddr = *saddr; + tm->tcpm_daddr = *daddr; + +-- +2.40.1 + diff --git a/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_stamp.patch b/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_stamp.patch new file mode 100644 index 00000000000..ae5cfd4e3b6 --- /dev/null +++ b/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_stamp.patch @@ -0,0 +1,88 @@ +From a722f1bd2fe1798ccb064ae52f7f8f54e677be57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:14:56 +0000 +Subject: tcp_metrics: annotate data-races around tm->tcpm_stamp + +From: Eric Dumazet + +[ Upstream commit 949ad62a5d5311d36fce2e14fe5fed3f936da51c ] + +tm->tcpm_stamp can be read or written locklessly. + +Add needed READ_ONCE()/WRITE_ONCE() to document this. + +Also constify tcpm_check_stamp() dst argument. + +Fixes: 51c5d0c4b169 ("tcp: Maintain dynamic metrics in local cache.") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230802131500.1478140-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 3fe7eb3bc84c9..20d2addddd16e 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -97,7 +97,7 @@ static void tcpm_suck_dst(struct tcp_metrics_block *tm, + u32 msval; + u32 val; + +- tm->tcpm_stamp = jiffies; ++ WRITE_ONCE(tm->tcpm_stamp, jiffies); + + val = 0; + if (dst_metric_locked(dst, RTAX_RTT)) +@@ -131,9 +131,15 @@ static void tcpm_suck_dst(struct tcp_metrics_block *tm, + + #define TCP_METRICS_TIMEOUT (60 * 60 * HZ) + +-static void tcpm_check_stamp(struct tcp_metrics_block *tm, struct dst_entry *dst) ++static void tcpm_check_stamp(struct tcp_metrics_block *tm, ++ const struct dst_entry *dst) + { +- if (tm && unlikely(time_after(jiffies, tm->tcpm_stamp + TCP_METRICS_TIMEOUT))) ++ unsigned long limit; ++ ++ if (!tm) ++ return; ++ limit = READ_ONCE(tm->tcpm_stamp) + TCP_METRICS_TIMEOUT; ++ if (unlikely(time_after(jiffies, limit))) + tcpm_suck_dst(tm, dst, false); + } + +@@ -174,7 +180,8 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst, + oldest = deref_locked(tcp_metrics_hash[hash].chain); + for (tm = deref_locked(oldest->tcpm_next); tm; + tm = deref_locked(tm->tcpm_next)) { +- if (time_before(tm->tcpm_stamp, oldest->tcpm_stamp)) ++ if (time_before(READ_ONCE(tm->tcpm_stamp), ++ READ_ONCE(oldest->tcpm_stamp))) + oldest = tm; + } + tm = oldest; +@@ -434,7 +441,7 @@ void tcp_update_metrics(struct sock *sk) + tp->reordering); + } + } +- tm->tcpm_stamp = jiffies; ++ WRITE_ONCE(tm->tcpm_stamp, jiffies); + out_unlock: + rcu_read_unlock(); + } +@@ -647,7 +654,7 @@ static int tcp_metrics_fill_info(struct sk_buff *msg, + } + + if (nla_put_msecs(msg, TCP_METRICS_ATTR_AGE, +- jiffies - tm->tcpm_stamp, ++ jiffies - READ_ONCE(tm->tcpm_stamp), + TCP_METRICS_ATTR_PAD) < 0) + goto nla_put_failure; + +-- +2.40.1 + diff --git a/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_vals.patch b/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_vals.patch new file mode 100644 index 00000000000..f215889864e --- /dev/null +++ b/queue-5.10/tcp_metrics-annotate-data-races-around-tm-tcpm_vals.patch @@ -0,0 +1,85 @@ +From 94fdf1c564609d28b3a23ba05895c1fe4f7af788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:14:58 +0000 +Subject: tcp_metrics: annotate data-races around tm->tcpm_vals[] + +From: Eric Dumazet + +[ Upstream commit 8c4d04f6b443869d25e59822f7cec88d647028a9 ] + +tm->tcpm_vals[] values can be read or written locklessly. + +Add needed READ_ONCE()/WRITE_ONCE() to document this, +and force use of tcp_metric_get() and tcp_metric_set() + +Fixes: 51c5d0c4b169 ("tcp: Maintain dynamic metrics in local cache.") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 6617cba199826..6ea833474feb5 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -63,17 +63,19 @@ static bool tcp_metric_locked(struct tcp_metrics_block *tm, + return READ_ONCE(tm->tcpm_lock) & (1 << idx); + } + +-static u32 tcp_metric_get(struct tcp_metrics_block *tm, ++static u32 tcp_metric_get(const struct tcp_metrics_block *tm, + enum tcp_metric_index idx) + { +- return tm->tcpm_vals[idx]; ++ /* Paired with WRITE_ONCE() in tcp_metric_set() */ ++ return READ_ONCE(tm->tcpm_vals[idx]); + } + + static void tcp_metric_set(struct tcp_metrics_block *tm, + enum tcp_metric_index idx, + u32 val) + { +- tm->tcpm_vals[idx] = val; ++ /* Paired with READ_ONCE() in tcp_metric_get() */ ++ WRITE_ONCE(tm->tcpm_vals[idx], val); + } + + static bool addr_same(const struct inetpeer_addr *a, +@@ -115,13 +117,16 @@ static void tcpm_suck_dst(struct tcp_metrics_block *tm, + WRITE_ONCE(tm->tcpm_lock, val); + + msval = dst_metric_raw(dst, RTAX_RTT); +- tm->tcpm_vals[TCP_METRIC_RTT] = msval * USEC_PER_MSEC; ++ tcp_metric_set(tm, TCP_METRIC_RTT, msval * USEC_PER_MSEC); + + msval = dst_metric_raw(dst, RTAX_RTTVAR); +- tm->tcpm_vals[TCP_METRIC_RTTVAR] = msval * USEC_PER_MSEC; +- tm->tcpm_vals[TCP_METRIC_SSTHRESH] = dst_metric_raw(dst, RTAX_SSTHRESH); +- tm->tcpm_vals[TCP_METRIC_CWND] = dst_metric_raw(dst, RTAX_CWND); +- tm->tcpm_vals[TCP_METRIC_REORDERING] = dst_metric_raw(dst, RTAX_REORDERING); ++ tcp_metric_set(tm, TCP_METRIC_RTTVAR, msval * USEC_PER_MSEC); ++ tcp_metric_set(tm, TCP_METRIC_SSTHRESH, ++ dst_metric_raw(dst, RTAX_SSTHRESH)); ++ tcp_metric_set(tm, TCP_METRIC_CWND, ++ dst_metric_raw(dst, RTAX_CWND)); ++ tcp_metric_set(tm, TCP_METRIC_REORDERING, ++ dst_metric_raw(dst, RTAX_REORDERING)); + if (fastopen_clear) { + tm->tcpm_fastopen.mss = 0; + tm->tcpm_fastopen.syn_loss = 0; +@@ -667,7 +672,7 @@ static int tcp_metrics_fill_info(struct sk_buff *msg, + if (!nest) + goto nla_put_failure; + for (i = 0; i < TCP_METRIC_MAX_KERNEL + 1; i++) { +- u32 val = tm->tcpm_vals[i]; ++ u32 val = tcp_metric_get(tm, i); + + if (!val) + continue; +-- +2.40.1 + diff --git a/queue-5.10/tcp_metrics-fix-addr_same-helper.patch b/queue-5.10/tcp_metrics-fix-addr_same-helper.patch new file mode 100644 index 00000000000..26fecbd1703 --- /dev/null +++ b/queue-5.10/tcp_metrics-fix-addr_same-helper.patch @@ -0,0 +1,46 @@ +From e7777f71c5e26b50345de02a98e42e60d57ceb76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:14:55 +0000 +Subject: tcp_metrics: fix addr_same() helper + +From: Eric Dumazet + +[ Upstream commit e6638094d7af6c7b9dcca05ad009e79e31b4f670 ] + +Because v4 and v6 families use separate inetpeer trees (respectively +net->ipv4.peers and net->ipv6.peers), inetpeer_addr_cmp(a, b) assumes +a & b share the same family. + +tcp_metrics use a common hash table, where entries can have different +families. + +We must therefore make sure to not call inetpeer_addr_cmp() +if the families do not match. + +Fixes: d39d14ffa24c ("net: Add helper function to compare inetpeer addresses") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230802131500.1478140-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index f3ca6eea2ca39..3fe7eb3bc84c9 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -78,7 +78,7 @@ static void tcp_metric_set(struct tcp_metrics_block *tm, + static bool addr_same(const struct inetpeer_addr *a, + const struct inetpeer_addr *b) + { +- return inetpeer_addr_cmp(a, b) == 0; ++ return (a->family == b->family) && !inetpeer_addr_cmp(a, b); + } + + struct tcpm_hash_bucket { +-- +2.40.1 + diff --git a/queue-5.10/tcp_metrics-fix-data-race-in-tcpm_suck_dst-vs-fastop.patch b/queue-5.10/tcp_metrics-fix-data-race-in-tcpm_suck_dst-vs-fastop.patch new file mode 100644 index 00000000000..7b4632b6892 --- /dev/null +++ b/queue-5.10/tcp_metrics-fix-data-race-in-tcpm_suck_dst-vs-fastop.patch @@ -0,0 +1,85 @@ +From 159c662df00a39740806de9c27ae9876e654bb53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:15:00 +0000 +Subject: tcp_metrics: fix data-race in tcpm_suck_dst() vs fastopen + +From: Eric Dumazet + +[ Upstream commit ddf251fa2bc1d3699eec0bae6ed0bc373b8fda79 ] + +Whenever tcpm_new() reclaims an old entry, tcpm_suck_dst() +would overwrite data that could be read from tcp_fastopen_cache_get() +or tcp_metrics_fill_info(). + +We need to acquire fastopen_seqlock to maintain consistency. + +For newly allocated objects, tcpm_new() can switch to kzalloc() +to avoid an extra fastopen_seqlock acquisition. + +Fixes: 1fe4c481ba63 ("net-tcp: Fast Open client - cookie cache") +Signed-off-by: Eric Dumazet +Cc: Yuchung Cheng +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230802131500.1478140-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index b01cc35407481..a707fa1dbcafd 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -93,6 +93,7 @@ static struct tcpm_hash_bucket *tcp_metrics_hash __read_mostly; + static unsigned int tcp_metrics_hash_log __read_mostly; + + static DEFINE_SPINLOCK(tcp_metrics_lock); ++static DEFINE_SEQLOCK(fastopen_seqlock); + + static void tcpm_suck_dst(struct tcp_metrics_block *tm, + const struct dst_entry *dst, +@@ -129,11 +130,13 @@ static void tcpm_suck_dst(struct tcp_metrics_block *tm, + tcp_metric_set(tm, TCP_METRIC_REORDERING, + dst_metric_raw(dst, RTAX_REORDERING)); + if (fastopen_clear) { ++ write_seqlock(&fastopen_seqlock); + tm->tcpm_fastopen.mss = 0; + tm->tcpm_fastopen.syn_loss = 0; + tm->tcpm_fastopen.try_exp = 0; + tm->tcpm_fastopen.cookie.exp = false; + tm->tcpm_fastopen.cookie.len = 0; ++ write_sequnlock(&fastopen_seqlock); + } + } + +@@ -194,7 +197,7 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst, + } + tm = oldest; + } else { +- tm = kmalloc(sizeof(*tm), GFP_ATOMIC); ++ tm = kzalloc(sizeof(*tm), GFP_ATOMIC); + if (!tm) + goto out_unlock; + } +@@ -204,7 +207,7 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst, + tm->tcpm_saddr = *saddr; + tm->tcpm_daddr = *daddr; + +- tcpm_suck_dst(tm, dst, true); ++ tcpm_suck_dst(tm, dst, reclaim); + + if (likely(!reclaim)) { + tm->tcpm_next = tcp_metrics_hash[hash].chain; +@@ -556,8 +559,6 @@ bool tcp_peer_is_proven(struct request_sock *req, struct dst_entry *dst) + return ret; + } + +-static DEFINE_SEQLOCK(fastopen_seqlock); +- + void tcp_fastopen_cache_get(struct sock *sk, u16 *mss, + struct tcp_fastopen_cookie *cookie) + { +-- +2.40.1 + diff --git a/queue-5.10/vxlan-fix-nexthop-hash-size.patch b/queue-5.10/vxlan-fix-nexthop-hash-size.patch new file mode 100644 index 00000000000..1967b730f36 --- /dev/null +++ b/queue-5.10/vxlan-fix-nexthop-hash-size.patch @@ -0,0 +1,175 @@ +From 7072200d7d03fc5bdeecd74ca8863eec3262426a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 16:02:08 -0400 +Subject: vxlan: Fix nexthop hash size + +From: Benjamin Poirier + +[ Upstream commit 0756384fb1bd38adb2ebcfd1307422f433a1d772 ] + +The nexthop code expects a 31 bit hash, such as what is returned by +fib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash +returned by skb_get_hash() can lead to problems related to the fact that +'int hash' is a negative number when the MSB is set. + +In the case of hash threshold nexthop groups, nexthop_select_path_hthr() +will disproportionately select the first nexthop group entry. In the case +of resilient nexthop groups, nexthop_select_path_res() may do an out of +bounds access in nh_buckets[], for example: + hash = -912054133 + num_nh_buckets = 2 + bucket_index = 65535 + +which leads to the following panic: + +BUG: unable to handle page fault for address: ffffc900025910c8 +PGD 100000067 P4D 100000067 PUD 10026b067 PMD 0 +Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI +CPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +Workqueue: ipv6_addrconf addrconf_dad_work +RIP: 0010:nexthop_select_path+0x197/0xbf0 +Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85 +RSP: 0018:ffff88810c36f260 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77 +RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8 +RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219 +R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0 +R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900 +FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0 +PKRU: 55555554 +Call Trace: + + ? __die+0x23/0x70 + ? page_fault_oops+0x1ee/0x5c0 + ? __pfx_is_prefetch.constprop.0+0x10/0x10 + ? __pfx_page_fault_oops+0x10/0x10 + ? search_bpf_extables+0xfe/0x1c0 + ? fixup_exception+0x3b/0x470 + ? exc_page_fault+0xf6/0x110 + ? asm_exc_page_fault+0x26/0x30 + ? nexthop_select_path+0x197/0xbf0 + ? nexthop_select_path+0x197/0xbf0 + ? lock_is_held_type+0xe7/0x140 + vxlan_xmit+0x5b2/0x2340 + ? __lock_acquire+0x92b/0x3370 + ? __pfx_vxlan_xmit+0x10/0x10 + ? __pfx___lock_acquire+0x10/0x10 + ? __pfx_register_lock_class+0x10/0x10 + ? skb_network_protocol+0xce/0x2d0 + ? dev_hard_start_xmit+0xca/0x350 + ? __pfx_vxlan_xmit+0x10/0x10 + dev_hard_start_xmit+0xca/0x350 + __dev_queue_xmit+0x513/0x1e20 + ? __pfx___dev_queue_xmit+0x10/0x10 + ? __pfx_lock_release+0x10/0x10 + ? mark_held_locks+0x44/0x90 + ? skb_push+0x4c/0x80 + ? eth_header+0x81/0xe0 + ? __pfx_eth_header+0x10/0x10 + ? neigh_resolve_output+0x215/0x310 + ? ip6_finish_output2+0x2ba/0xc90 + ip6_finish_output2+0x2ba/0xc90 + ? lock_release+0x236/0x3e0 + ? ip6_mtu+0xbb/0x240 + ? __pfx_ip6_finish_output2+0x10/0x10 + ? find_held_lock+0x83/0xa0 + ? lock_is_held_type+0xe7/0x140 + ip6_finish_output+0x1ee/0x780 + ip6_output+0x138/0x460 + ? __pfx_ip6_output+0x10/0x10 + ? __pfx___lock_acquire+0x10/0x10 + ? __pfx_ip6_finish_output+0x10/0x10 + NF_HOOK.constprop.0+0xc0/0x420 + ? __pfx_NF_HOOK.constprop.0+0x10/0x10 + ? ndisc_send_skb+0x2c0/0x960 + ? __pfx_lock_release+0x10/0x10 + ? __local_bh_enable_ip+0x93/0x110 + ? lock_is_held_type+0xe7/0x140 + ndisc_send_skb+0x4be/0x960 + ? __pfx_ndisc_send_skb+0x10/0x10 + ? mark_held_locks+0x65/0x90 + ? find_held_lock+0x83/0xa0 + ndisc_send_ns+0xb0/0x110 + ? __pfx_ndisc_send_ns+0x10/0x10 + addrconf_dad_work+0x631/0x8e0 + ? lock_acquire+0x180/0x3f0 + ? __pfx_addrconf_dad_work+0x10/0x10 + ? mark_held_locks+0x24/0x90 + process_one_work+0x582/0x9c0 + ? __pfx_process_one_work+0x10/0x10 + ? __pfx_do_raw_spin_lock+0x10/0x10 + ? mark_held_locks+0x24/0x90 + worker_thread+0x93/0x630 + ? __kthread_parkme+0xdc/0x100 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x1a5/0x1e0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x34/0x60 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 +RIP: 0000:0x0 +Code: Unable to access opcode bytes at 0xffffffffffffffd6. +RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Modules linked in: +CR2: ffffc900025910c8 +---[ end trace 0000000000000000 ]--- +RIP: 0010:nexthop_select_path+0x197/0xbf0 +Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85 +RSP: 0018:ffff88810c36f260 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77 +RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8 +RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219 +R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0 +R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900 +FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 0000000129d00000 CR4: 0000000000750ee0 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception in interrupt +Kernel Offset: 0x2ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +Fix this problem by ensuring the MSB of hash is 0 using a right shift - the +same approach used in fib_multipath_hash() and rt6_multipath_hash(). + +Fixes: 1274e1cc4226 ("vxlan: ecmp support for mac fdb entries") +Signed-off-by: Benjamin Poirier +Reviewed-by: Ido Schimmel +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/vxlan.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/vxlan.h b/include/net/vxlan.h +index cf1d870f7b9a8..e149a0b6f9a3c 100644 +--- a/include/net/vxlan.h ++++ b/include/net/vxlan.h +@@ -497,12 +497,12 @@ static inline void vxlan_flag_attr_error(int attrtype, + } + + static inline bool vxlan_fdb_nh_path_select(struct nexthop *nh, +- int hash, ++ u32 hash, + struct vxlan_rdst *rdst) + { + struct fib_nh_common *nhc; + +- nhc = nexthop_path_fdb_result(nh, hash); ++ nhc = nexthop_path_fdb_result(nh, hash >> 1); + if (unlikely(!nhc)) + return false; + +-- +2.40.1 + diff --git a/queue-5.10/wifi-cfg80211-fix-return-value-in-scan-logic.patch b/queue-5.10/wifi-cfg80211-fix-return-value-in-scan-logic.patch new file mode 100644 index 00000000000..22228dc5dad --- /dev/null +++ b/queue-5.10/wifi-cfg80211-fix-return-value-in-scan-logic.patch @@ -0,0 +1,43 @@ +From feca9f59cfc7712b644a014dd64dff91bc6d0bb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 23:10:43 +0300 +Subject: wifi: cfg80211: Fix return value in scan logic + +From: Ilan Peer + +[ Upstream commit fd7f08d92fcd7cc3eca0dd6c853f722a4c6176df ] + +The reporter noticed a warning when running iwlwifi: + +WARNING: CPU: 8 PID: 659 at mm/page_alloc.c:4453 __alloc_pages+0x329/0x340 + +As cfg80211_parse_colocated_ap() is not expected to return a negative +value return 0 and not a negative value if cfg80211_calc_short_ssid() +fails. + +Fixes: c8cb5b854b40f ("nl80211/cfg80211: support 6 GHz scanning") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217675 +Signed-off-by: Ilan Peer +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230723201043.3007430-1-ilan.peer@intel.com +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 671c7f83d5fc3..f59691936e5b8 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -641,7 +641,7 @@ static int cfg80211_parse_colocated_ap(const struct cfg80211_bss_ies *ies, + + ret = cfg80211_calc_short_ssid(ies, &ssid_elem, &s_ssid_tmp); + if (ret) +- return ret; ++ return 0; + + /* RNR IE may contain more than one NEIGHBOR_AP_INFO */ + while (pos + sizeof(*ap_info) <= end) { +-- +2.40.1 + diff --git a/queue-5.10/word-at-a-time-use-the-same-return-type-for-has_zero.patch b/queue-5.10/word-at-a-time-use-the-same-return-type-for-has_zero.patch new file mode 100644 index 00000000000..57c48864a91 --- /dev/null +++ b/queue-5.10/word-at-a-time-use-the-same-return-type-for-has_zero.patch @@ -0,0 +1,74 @@ +From 9b0ba24b6a48ff8e2d080cd37ac2bfa14d833ecd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 15:22:17 -0700 +Subject: word-at-a-time: use the same return type for has_zero regardless of + endianness + +From: ndesaulniers@google.com + +[ Upstream commit 79e8328e5acbe691bbde029a52c89d70dcbc22f3 ] + +Compiling big-endian targets with Clang produces the diagnostic: + + fs/namei.c:2173:13: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical] + } while (!(has_zero(a, &adata, &constants) | has_zero(b, &bdata, &constants))); + ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + || + fs/namei.c:2173:13: note: cast one or both operands to int to silence this warning + +It appears that when has_zero was introduced, two definitions were +produced with different signatures (in particular different return +types). + +Looking at the usage in hash_name() in fs/namei.c, I suspect that +has_zero() is meant to be invoked twice per while loop iteration; using +logical-or would not update `bdata` when `a` did not have zeros. So I +think it's preferred to always return an unsigned long rather than a +bool than update the while loop in hash_name() to use a logical-or +rather than bitwise-or. + +[ Also changed powerpc version to do the same - Linus ] + +Link: https://github.com/ClangBuiltLinux/linux/issues/1832 +Link: https://lore.kernel.org/lkml/20230801-bitwise-v1-1-799bec468dc4@google.com/ +Fixes: 36126f8f2ed8 ("word-at-a-time: make the interfaces truly generic") +Debugged-by: Nathan Chancellor +Signed-off-by: Nick Desaulniers +Acked-by: Heiko Carstens +Cc: Arnd Bergmann +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/word-at-a-time.h | 2 +- + include/asm-generic/word-at-a-time.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/include/asm/word-at-a-time.h b/arch/powerpc/include/asm/word-at-a-time.h +index f3f4710d4ff52..99129b0cd8b8a 100644 +--- a/arch/powerpc/include/asm/word-at-a-time.h ++++ b/arch/powerpc/include/asm/word-at-a-time.h +@@ -34,7 +34,7 @@ static inline long find_zero(unsigned long mask) + return leading_zero_bits >> 3; + } + +-static inline bool has_zero(unsigned long val, unsigned long *data, const struct word_at_a_time *c) ++static inline unsigned long has_zero(unsigned long val, unsigned long *data, const struct word_at_a_time *c) + { + unsigned long rhs = val | c->low_bits; + *data = rhs; +diff --git a/include/asm-generic/word-at-a-time.h b/include/asm-generic/word-at-a-time.h +index 20c93f08c9933..95a1d214108a5 100644 +--- a/include/asm-generic/word-at-a-time.h ++++ b/include/asm-generic/word-at-a-time.h +@@ -38,7 +38,7 @@ static inline long find_zero(unsigned long mask) + return (mask >> 8) ? byte : byte + 1; + } + +-static inline bool has_zero(unsigned long val, unsigned long *data, const struct word_at_a_time *c) ++static inline unsigned long has_zero(unsigned long val, unsigned long *data, const struct word_at_a_time *c) + { + unsigned long rhs = val | c->low_bits; + *data = rhs; +-- +2.40.1 +