From: Sasha Levin Date: Fri, 4 Oct 2024 16:20:14 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.6.55~153 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d5dfaccaa195db4c028e45f1248a46223168a59c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch b/queue-5.4/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch new file mode 100644 index 00000000000..18b7417ac74 --- /dev/null +++ b/queue-5.4/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch @@ -0,0 +1,45 @@ +From c2737f36a11041b1aa192b26350cfa29fbbb36df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 11:12:04 +0800 +Subject: Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit 7b1ab460592ca818e7b52f27cd3ec86af79220d1 ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Fixes: bb7f4f0bcee6 ("btmrvl: add platform specific wakeup interrupt support") +Signed-off-by: Jinjie Ruan +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmrvl_sdio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c +index cfb9f9db44a0d..be7145d43570f 100644 +--- a/drivers/bluetooth/btmrvl_sdio.c ++++ b/drivers/bluetooth/btmrvl_sdio.c +@@ -105,7 +105,7 @@ static int btmrvl_sdio_probe_of(struct device *dev, + } else { + ret = devm_request_irq(dev, cfg->irq_bt, + btmrvl_wake_irq_bt, +- 0, "bt_wake", card); ++ IRQF_NO_AUTOEN, "bt_wake", card); + if (ret) { + dev_err(dev, + "Failed to request irq_bt %d (%d)\n", +@@ -114,7 +114,6 @@ static int btmrvl_sdio_probe_of(struct device *dev, + + /* Configure wakeup (enabled by default) */ + device_init_wakeup(dev, true); +- disable_irq(cfg->irq_bt); + } + } + +-- +2.43.0 + diff --git a/queue-5.4/bluetooth-btmrvl_sdio-refactor-irq-wakeup.patch b/queue-5.4/bluetooth-btmrvl_sdio-refactor-irq-wakeup.patch new file mode 100644 index 00000000000..6df932c7b7f --- /dev/null +++ b/queue-5.4/bluetooth-btmrvl_sdio-refactor-irq-wakeup.patch @@ -0,0 +1,78 @@ +From cd16b120080a6c4c8556db5909b2f56ca486d084 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jun 2020 18:53:55 -0700 +Subject: Bluetooth: btmrvl_sdio: Refactor irq wakeup + +From: Abhishek Pandit-Subedi + +[ Upstream commit e660b3510eb4b3c06ce1188a1d305b6f653106fc ] + +Use device_init_wakeup to allow the Bluetooth dev to wake the system +from suspend. Currently, the device can wake the system but no +power/wakeup entry is created in sysfs to allow userspace to disable +wakeup. + +Signed-off-by: Abhishek Pandit-Subedi +Reviewed-by: Douglas Anderson +Signed-off-by: Marcel Holtmann +Stable-dep-of: 7b1ab460592c ("Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmrvl_sdio.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c +index 4c7978cb1786f..cfb9f9db44a0d 100644 +--- a/drivers/bluetooth/btmrvl_sdio.c ++++ b/drivers/bluetooth/btmrvl_sdio.c +@@ -111,6 +111,9 @@ static int btmrvl_sdio_probe_of(struct device *dev, + "Failed to request irq_bt %d (%d)\n", + cfg->irq_bt, ret); + } ++ ++ /* Configure wakeup (enabled by default) */ ++ device_init_wakeup(dev, true); + disable_irq(cfg->irq_bt); + } + } +@@ -1654,6 +1657,7 @@ static void btmrvl_sdio_remove(struct sdio_func *func) + MODULE_SHUTDOWN_REQ); + btmrvl_sdio_disable_host_int(card); + } ++ + BT_DBG("unregister dev"); + card->priv->surprise_removed = true; + btmrvl_sdio_unregister_dev(card); +@@ -1690,7 +1694,8 @@ static int btmrvl_sdio_suspend(struct device *dev) + } + + /* Enable platform specific wakeup interrupt */ +- if (card->plt_wake_cfg && card->plt_wake_cfg->irq_bt >= 0) { ++ if (card->plt_wake_cfg && card->plt_wake_cfg->irq_bt >= 0 && ++ device_may_wakeup(dev)) { + card->plt_wake_cfg->wake_by_bt = false; + enable_irq(card->plt_wake_cfg->irq_bt); + enable_irq_wake(card->plt_wake_cfg->irq_bt); +@@ -1707,7 +1712,8 @@ static int btmrvl_sdio_suspend(struct device *dev) + BT_ERR("HS not activated, suspend failed!"); + /* Disable platform specific wakeup interrupt */ + if (card->plt_wake_cfg && +- card->plt_wake_cfg->irq_bt >= 0) { ++ card->plt_wake_cfg->irq_bt >= 0 && ++ device_may_wakeup(dev)) { + disable_irq_wake(card->plt_wake_cfg->irq_bt); + disable_irq(card->plt_wake_cfg->irq_bt); + } +@@ -1767,7 +1773,8 @@ static int btmrvl_sdio_resume(struct device *dev) + hci_resume_dev(hcidev); + + /* Disable platform specific wakeup interrupt */ +- if (card->plt_wake_cfg && card->plt_wake_cfg->irq_bt >= 0) { ++ if (card->plt_wake_cfg && card->plt_wake_cfg->irq_bt >= 0 && ++ device_may_wakeup(dev)) { + disable_irq_wake(card->plt_wake_cfg->irq_bt); + disable_irq(card->plt_wake_cfg->irq_bt); + if (card->plt_wake_cfg->wake_by_bt) +-- +2.43.0 + diff --git a/queue-5.4/ceph-remove-the-incorrect-fw-reference-check-when-di.patch b/queue-5.4/ceph-remove-the-incorrect-fw-reference-check-when-di.patch new file mode 100644 index 00000000000..55aebb5b552 --- /dev/null +++ b/queue-5.4/ceph-remove-the-incorrect-fw-reference-check-when-di.patch @@ -0,0 +1,37 @@ +From 57ce9b69179eac633f651023e60a14487de3442f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 06:22:18 +0800 +Subject: ceph: remove the incorrect Fw reference check when dirtying pages + +From: Xiubo Li + +[ Upstream commit c08dfb1b49492c09cf13838c71897493ea3b424e ] + +When doing the direct-io reads it will also try to mark pages dirty, +but for the read path it won't hold the Fw caps and there is case +will it get the Fw reference. + +Fixes: 5dda377cf0a6 ("ceph: set i_head_snapc when getting CEPH_CAP_FILE_WR reference") +Signed-off-by: Xiubo Li +Reviewed-by: Patrick Donnelly +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/addr.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c +index 34ab7b892b700..0791855963647 100644 +--- a/fs/ceph/addr.c ++++ b/fs/ceph/addr.c +@@ -89,7 +89,6 @@ static int ceph_set_page_dirty(struct page *page) + + /* dirty the head */ + spin_lock(&ci->i_ceph_lock); +- BUG_ON(ci->i_wr_ref == 0); // caller should hold Fw reference + if (__ceph_have_pending_cap_snap(ci)) { + struct ceph_cap_snap *capsnap = + list_last_entry(&ci->i_cap_snaps, +-- +2.43.0 + diff --git a/queue-5.4/drivers-net-fix-kconfig-indentation-continued.patch b/queue-5.4/drivers-net-fix-kconfig-indentation-continued.patch new file mode 100644 index 00000000000..b856d1b83bc --- /dev/null +++ b/queue-5.4/drivers-net-fix-kconfig-indentation-continued.patch @@ -0,0 +1,519 @@ +From d99a9cea6a51186e382046f8a47afb1a7118235d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2019 21:28:28 +0800 +Subject: drivers: net: Fix Kconfig indentation, continued + +From: Krzysztof Kozlowski + +[ Upstream commit 5421cf84af69a94ebb179fec252f3772c4681cca ] + +Adjust indentation from spaces to tab (+optional two spaces) as in +coding style. This fixes various indentation mixups (seven spaces, +tab+one space, etc). + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Stable-dep-of: addf89774e48 ("ieee802154: Fix build error") +Signed-off-by: Sasha Levin +--- + drivers/net/Kconfig | 64 +++++++++---------- + drivers/net/caif/Kconfig | 36 +++++------ + .../net/ethernet/freescale/fs_enet/Kconfig | 8 +-- + drivers/net/ieee802154/Kconfig | 12 ++-- + drivers/net/wireless/ath/Kconfig | 12 ++-- + drivers/net/wireless/ath/ar5523/Kconfig | 14 ++-- + drivers/net/wireless/ath/ath9k/Kconfig | 58 ++++++++--------- + drivers/net/wireless/atmel/Kconfig | 42 ++++++------ + drivers/net/wireless/ralink/rt2x00/Kconfig | 44 ++++++------- + drivers/net/wireless/ti/wl12xx/Kconfig | 8 +-- + 10 files changed, 149 insertions(+), 149 deletions(-) + +diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig +index df3cd2589bcfe..e148bbd9e783e 100644 +--- a/drivers/net/Kconfig ++++ b/drivers/net/Kconfig +@@ -154,22 +154,22 @@ config IPVLAN_L3S + select NET_L3_MASTER_DEV + + config IPVLAN +- tristate "IP-VLAN support" +- depends on INET +- depends on IPV6 || !IPV6 +- ---help--- +- This allows one to create virtual devices off of a main interface +- and packets will be delivered based on the dest L3 (IPv6/IPv4 addr) +- on packets. All interfaces (including the main interface) share L2 +- making it transparent to the connected L2 switch. ++ tristate "IP-VLAN support" ++ depends on INET ++ depends on IPV6 || !IPV6 ++ ---help--- ++ This allows one to create virtual devices off of a main interface ++ and packets will be delivered based on the dest L3 (IPv6/IPv4 addr) ++ on packets. All interfaces (including the main interface) share L2 ++ making it transparent to the connected L2 switch. + +- Ipvlan devices can be added using the "ip" command from the +- iproute2 package starting with the iproute2-3.19 release: ++ Ipvlan devices can be added using the "ip" command from the ++ iproute2 package starting with the iproute2-3.19 release: + +- "ip link add link [ NAME ] type ipvlan" ++ "ip link add link [ NAME ] type ipvlan" + +- To compile this driver as a module, choose M here: the module +- will be called ipvlan. ++ To compile this driver as a module, choose M here: the module ++ will be called ipvlan. + + config IPVTAP + tristate "IP-VLAN based tap driver" +@@ -186,11 +186,11 @@ config IPVTAP + will be called ipvtap. + + config VXLAN +- tristate "Virtual eXtensible Local Area Network (VXLAN)" +- depends on INET +- select NET_UDP_TUNNEL +- select GRO_CELLS +- ---help--- ++ tristate "Virtual eXtensible Local Area Network (VXLAN)" ++ depends on INET ++ select NET_UDP_TUNNEL ++ select GRO_CELLS ++ ---help--- + This allows one to create vxlan virtual interfaces that provide + Layer 2 Networks over Layer 3 Networks. VXLAN is often used + to tunnel virtual network infrastructure in virtualized environments. +@@ -201,12 +201,12 @@ config VXLAN + will be called vxlan. + + config GENEVE +- tristate "Generic Network Virtualization Encapsulation" +- depends on INET +- depends on IPV6 || !IPV6 +- select NET_UDP_TUNNEL +- select GRO_CELLS +- ---help--- ++ tristate "Generic Network Virtualization Encapsulation" ++ depends on INET ++ depends on IPV6 || !IPV6 ++ select NET_UDP_TUNNEL ++ select GRO_CELLS ++ ---help--- + This allows one to create geneve virtual interfaces that provide + Layer 2 Networks over Layer 3 Networks. GENEVE is often used + to tunnel virtual network infrastructure in virtualized environments. +@@ -245,8 +245,8 @@ config MACSEC + config NETCONSOLE + tristate "Network console logging support" + ---help--- +- If you want to log kernel messages over the network, enable this. +- See for details. ++ If you want to log kernel messages over the network, enable this. ++ See for details. + + config NETCONSOLE_DYNAMIC + bool "Dynamic reconfiguration of logging targets" +@@ -363,12 +363,12 @@ config NET_VRF + support enables VRF devices. + + config VSOCKMON +- tristate "Virtual vsock monitoring device" +- depends on VHOST_VSOCK +- ---help--- +- This option enables a monitoring net device for vsock sockets. It is +- mostly intended for developers or support to debug vsock issues. If +- unsure, say N. ++ tristate "Virtual vsock monitoring device" ++ depends on VHOST_VSOCK ++ ---help--- ++ This option enables a monitoring net device for vsock sockets. It is ++ mostly intended for developers or support to debug vsock issues. If ++ unsure, say N. + + endif # NET_CORE + +diff --git a/drivers/net/caif/Kconfig b/drivers/net/caif/Kconfig +index 66ea15f067025..f330c9f4c6c85 100644 +--- a/drivers/net/caif/Kconfig ++++ b/drivers/net/caif/Kconfig +@@ -10,37 +10,37 @@ config CAIF_TTY + depends on CAIF && TTY + default n + ---help--- +- The CAIF TTY transport driver is a Line Discipline (ldisc) +- identified as N_CAIF. When this ldisc is opened from user space +- it will redirect the TTY's traffic into the CAIF stack. ++ The CAIF TTY transport driver is a Line Discipline (ldisc) ++ identified as N_CAIF. When this ldisc is opened from user space ++ it will redirect the TTY's traffic into the CAIF stack. + + config CAIF_SPI_SLAVE + tristate "CAIF SPI transport driver for slave interface" + depends on CAIF && HAS_DMA + default n + ---help--- +- The CAIF Link layer SPI Protocol driver for Slave SPI interface. +- This driver implements a platform driver to accommodate for a +- platform specific SPI device. A sample CAIF SPI Platform device is +- provided in . ++ The CAIF Link layer SPI Protocol driver for Slave SPI interface. ++ This driver implements a platform driver to accommodate for a ++ platform specific SPI device. A sample CAIF SPI Platform device is ++ provided in . + + config CAIF_SPI_SYNC + bool "Next command and length in start of frame" + depends on CAIF_SPI_SLAVE + default n + ---help--- +- Putting the next command and length in the start of the frame can +- help to synchronize to the next transfer in case of over or under-runs. +- This option also needs to be enabled on the modem. ++ Putting the next command and length in the start of the frame can ++ help to synchronize to the next transfer in case of over or under-runs. ++ This option also needs to be enabled on the modem. + + config CAIF_HSI +- tristate "CAIF HSI transport driver" +- depends on CAIF +- default n +- ---help--- +- The CAIF low level driver for CAIF over HSI. +- Be aware that if you enable this then you also need to +- enable a low-level HSI driver. ++ tristate "CAIF HSI transport driver" ++ depends on CAIF ++ default n ++ ---help--- ++ The CAIF low level driver for CAIF over HSI. ++ Be aware that if you enable this then you also need to ++ enable a low-level HSI driver. + + config CAIF_VIRTIO + tristate "CAIF virtio transport driver" +@@ -50,7 +50,7 @@ config CAIF_VIRTIO + select GENERIC_ALLOCATOR + default n + ---help--- +- The CAIF driver for CAIF over Virtio. ++ The CAIF driver for CAIF over Virtio. + + if CAIF_VIRTIO + source "drivers/vhost/Kconfig.vringh" +diff --git a/drivers/net/ethernet/freescale/fs_enet/Kconfig b/drivers/net/ethernet/freescale/fs_enet/Kconfig +index 245d9a68a71fb..7f20840fde074 100644 +--- a/drivers/net/ethernet/freescale/fs_enet/Kconfig ++++ b/drivers/net/ethernet/freescale/fs_enet/Kconfig +@@ -1,9 +1,9 @@ + # SPDX-License-Identifier: GPL-2.0-only + config FS_ENET +- tristate "Freescale Ethernet Driver" +- depends on NET_VENDOR_FREESCALE && (CPM1 || CPM2 || PPC_MPC512x) +- select MII +- select PHYLIB ++ tristate "Freescale Ethernet Driver" ++ depends on NET_VENDOR_FREESCALE && (CPM1 || CPM2 || PPC_MPC512x) ++ select MII ++ select PHYLIB + + config FS_ENET_MPC5121_FEC + def_bool y if (FS_ENET && PPC_MPC512x) +diff --git a/drivers/net/ieee802154/Kconfig b/drivers/net/ieee802154/Kconfig +index 8af5b7e9f4eda..c92a62dbf3982 100644 +--- a/drivers/net/ieee802154/Kconfig ++++ b/drivers/net/ieee802154/Kconfig +@@ -74,9 +74,9 @@ config IEEE802154_ATUSB + The module will be called 'atusb'. + + config IEEE802154_ADF7242 +- tristate "ADF7242 transceiver driver" +- depends on IEEE802154_DRIVERS && MAC802154 +- depends on SPI ++ tristate "ADF7242 transceiver driver" ++ depends on IEEE802154_DRIVERS && MAC802154 ++ depends on SPI + ---help--- + Say Y here to enable the ADF7242 SPI 802.15.4 wireless + controller. +@@ -107,9 +107,9 @@ config IEEE802154_CA8210_DEBUGFS + management entities. + + config IEEE802154_MCR20A +- tristate "MCR20A transceiver driver" +- depends on IEEE802154_DRIVERS && MAC802154 +- depends on SPI ++ tristate "MCR20A transceiver driver" ++ depends on IEEE802154_DRIVERS && MAC802154 ++ depends on SPI + ---help--- + Say Y here to enable the MCR20A SPI 802.15.4 wireless + controller. +diff --git a/drivers/net/wireless/ath/Kconfig b/drivers/net/wireless/ath/Kconfig +index 56616d988c965..7b90b8546162f 100644 +--- a/drivers/net/wireless/ath/Kconfig ++++ b/drivers/net/wireless/ath/Kconfig +@@ -30,12 +30,12 @@ config ATH_DEBUG + Right now only ath9k makes use of this. + + config ATH_TRACEPOINTS +- bool "Atheros wireless tracing" +- depends on ATH_DEBUG +- depends on EVENT_TRACING +- ---help--- +- This option enables tracepoints for atheros wireless drivers. +- Currently, ath9k makes use of this facility. ++ bool "Atheros wireless tracing" ++ depends on ATH_DEBUG ++ depends on EVENT_TRACING ++ ---help--- ++ This option enables tracepoints for atheros wireless drivers. ++ Currently, ath9k makes use of this facility. + + config ATH_REG_DYNAMIC_USER_REG_HINTS + bool "Atheros dynamic user regulatory hints" +diff --git a/drivers/net/wireless/ath/ar5523/Kconfig b/drivers/net/wireless/ath/ar5523/Kconfig +index 65b39c7d035d7..e82df5f1ea67e 100644 +--- a/drivers/net/wireless/ath/ar5523/Kconfig ++++ b/drivers/net/wireless/ath/ar5523/Kconfig +@@ -1,9 +1,9 @@ + # SPDX-License-Identifier: ISC + config AR5523 +- tristate "Atheros AR5523 wireless driver support" +- depends on MAC80211 && USB +- select ATH_COMMON +- select FW_LOADER +- ---help--- +- This module add support for AR5523 based USB dongles such as D-Link +- DWL-G132, Netgear WPN111 and many more. ++ tristate "Atheros AR5523 wireless driver support" ++ depends on MAC80211 && USB ++ select ATH_COMMON ++ select FW_LOADER ++ ---help--- ++ This module add support for AR5523 based USB dongles such as D-Link ++ DWL-G132, Netgear WPN111 and many more. +diff --git a/drivers/net/wireless/ath/ath9k/Kconfig b/drivers/net/wireless/ath/ath9k/Kconfig +index c99f422844655..78620c6b64a20 100644 +--- a/drivers/net/wireless/ath/ath9k/Kconfig ++++ b/drivers/net/wireless/ath/ath9k/Kconfig +@@ -144,13 +144,13 @@ config ATH9K_RFKILL + a platform that can toggle the RF-Kill GPIO. + + config ATH9K_CHANNEL_CONTEXT +- bool "Channel Context support" +- depends on ATH9K +- default n +- ---help--- +- This option enables channel context support in ath9k, which is needed +- for multi-channel concurrency. Enable this if P2P PowerSave support +- is required. ++ bool "Channel Context support" ++ depends on ATH9K ++ default n ++ ---help--- ++ This option enables channel context support in ath9k, which is needed ++ for multi-channel concurrency. Enable this if P2P PowerSave support ++ is required. + + config ATH9K_PCOEM + bool "Atheros ath9k support for PC OEM cards" if EXPERT +@@ -162,32 +162,32 @@ config ATH9K_PCI_NO_EEPROM + depends on ATH9K_PCI + default n + help +- This separate driver provides a loader in order to support the +- AR500X to AR92XX-generation of ath9k PCI(e) WiFi chips, which have +- their initialization data (which contains the real PCI Device ID +- that ath9k will need) stored together with the calibration data out +- of reach for the ath9k chip. ++ This separate driver provides a loader in order to support the ++ AR500X to AR92XX-generation of ath9k PCI(e) WiFi chips, which have ++ their initialization data (which contains the real PCI Device ID ++ that ath9k will need) stored together with the calibration data out ++ of reach for the ath9k chip. + +- These devices are usually various network appliances, routers or +- access Points and such. ++ These devices are usually various network appliances, routers or ++ access Points and such. + +- If unsure say N. ++ If unsure say N. + + config ATH9K_HTC +- tristate "Atheros HTC based wireless cards support" +- depends on USB && MAC80211 +- select ATH9K_HW +- select MAC80211_LEDS +- select LEDS_CLASS +- select NEW_LEDS +- select ATH9K_COMMON +- ---help--- +- Support for Atheros HTC based cards. +- Chipsets supported: AR9271 +- +- For more information: http://wireless.kernel.org/en/users/Drivers/ath9k_htc +- +- The built module will be ath9k_htc. ++ tristate "Atheros HTC based wireless cards support" ++ depends on USB && MAC80211 ++ select ATH9K_HW ++ select MAC80211_LEDS ++ select LEDS_CLASS ++ select NEW_LEDS ++ select ATH9K_COMMON ++ ---help--- ++ Support for Atheros HTC based cards. ++ Chipsets supported: AR9271 ++ ++ For more information: http://wireless.kernel.org/en/users/Drivers/ath9k_htc ++ ++ The built module will be ath9k_htc. + + config ATH9K_HTC_DEBUGFS + bool "Atheros ath9k_htc debugging" +diff --git a/drivers/net/wireless/atmel/Kconfig b/drivers/net/wireless/atmel/Kconfig +index 4c0556b3a5ba8..c2142c70f25db 100644 +--- a/drivers/net/wireless/atmel/Kconfig ++++ b/drivers/net/wireless/atmel/Kconfig +@@ -13,29 +13,29 @@ config WLAN_VENDOR_ATMEL + if WLAN_VENDOR_ATMEL + + config ATMEL +- tristate "Atmel at76c50x chipset 802.11b support" +- depends on CFG80211 && (PCI || PCMCIA) +- select WIRELESS_EXT +- select WEXT_PRIV +- select FW_LOADER +- select CRC32 +- ---help--- +- A driver 802.11b wireless cards based on the Atmel fast-vnet +- chips. This driver supports standard Linux wireless extensions. +- +- Many cards based on this chipset do not have flash memory +- and need their firmware loaded at start-up. If yours is +- one of these, you will need to provide a firmware image +- to be loaded into the card by the driver. The Atmel +- firmware package can be downloaded from +- ++ tristate "Atmel at76c50x chipset 802.11b support" ++ depends on CFG80211 && (PCI || PCMCIA) ++ select WIRELESS_EXT ++ select WEXT_PRIV ++ select FW_LOADER ++ select CRC32 ++ ---help--- ++ A driver 802.11b wireless cards based on the Atmel fast-vnet ++ chips. This driver supports standard Linux wireless extensions. ++ ++ Many cards based on this chipset do not have flash memory ++ and need their firmware loaded at start-up. If yours is ++ one of these, you will need to provide a firmware image ++ to be loaded into the card by the driver. The Atmel ++ firmware package can be downloaded from ++ + + config PCI_ATMEL +- tristate "Atmel at76c506 PCI cards" +- depends on ATMEL && PCI +- ---help--- +- Enable support for PCI and mini-PCI cards containing the +- Atmel at76c506 chip. ++ tristate "Atmel at76c506 PCI cards" ++ depends on ATMEL && PCI ++ ---help--- ++ Enable support for PCI and mini-PCI cards containing the ++ Atmel at76c506 chip. + + config PCMCIA_ATMEL + tristate "Atmel at76c502/at76c504 PCMCIA cards" +diff --git a/drivers/net/wireless/ralink/rt2x00/Kconfig b/drivers/net/wireless/ralink/rt2x00/Kconfig +index f8a9244ce012b..d4969d6178220 100644 +--- a/drivers/net/wireless/ralink/rt2x00/Kconfig ++++ b/drivers/net/wireless/ralink/rt2x00/Kconfig +@@ -95,20 +95,20 @@ config RT2800PCI_RT35XX + + + config RT2800PCI_RT53XX +- bool "rt2800pci - Include support for rt53xx devices (EXPERIMENTAL)" +- default y +- ---help--- +- This adds support for rt53xx wireless chipset family to the +- rt2800pci driver. +- Supported chips: RT5390 ++ bool "rt2800pci - Include support for rt53xx devices (EXPERIMENTAL)" ++ default y ++ ---help--- ++ This adds support for rt53xx wireless chipset family to the ++ rt2800pci driver. ++ Supported chips: RT5390 + + config RT2800PCI_RT3290 +- bool "rt2800pci - Include support for rt3290 devices (EXPERIMENTAL)" +- default y +- ---help--- +- This adds support for rt3290 wireless chipset family to the +- rt2800pci driver. +- Supported chips: RT3290 ++ bool "rt2800pci - Include support for rt3290 devices (EXPERIMENTAL)" ++ default y ++ ---help--- ++ This adds support for rt3290 wireless chipset family to the ++ rt2800pci driver. ++ Supported chips: RT3290 + endif + + config RT2500USB +@@ -174,18 +174,18 @@ config RT2800USB_RT3573 + in the rt2800usb driver. + + config RT2800USB_RT53XX +- bool "rt2800usb - Include support for rt53xx devices (EXPERIMENTAL)" +- ---help--- +- This adds support for rt53xx wireless chipset family to the +- rt2800usb driver. +- Supported chips: RT5370 ++ bool "rt2800usb - Include support for rt53xx devices (EXPERIMENTAL)" ++ ---help--- ++ This adds support for rt53xx wireless chipset family to the ++ rt2800usb driver. ++ Supported chips: RT5370 + + config RT2800USB_RT55XX +- bool "rt2800usb - Include support for rt55xx devices (EXPERIMENTAL)" +- ---help--- +- This adds support for rt55xx wireless chipset family to the +- rt2800usb driver. +- Supported chips: RT5572 ++ bool "rt2800usb - Include support for rt55xx devices (EXPERIMENTAL)" ++ ---help--- ++ This adds support for rt55xx wireless chipset family to the ++ rt2800usb driver. ++ Supported chips: RT5572 + + config RT2800USB_UNKNOWN + bool "rt2800usb - Include support for unknown (USB) devices" +diff --git a/drivers/net/wireless/ti/wl12xx/Kconfig b/drivers/net/wireless/ti/wl12xx/Kconfig +index e409042ee9a01..9c4511604b67a 100644 +--- a/drivers/net/wireless/ti/wl12xx/Kconfig ++++ b/drivers/net/wireless/ti/wl12xx/Kconfig +@@ -1,10 +1,10 @@ + # SPDX-License-Identifier: GPL-2.0-only + config WL12XX +- tristate "TI wl12xx support" ++ tristate "TI wl12xx support" + depends on MAC80211 +- select WLCORE +- ---help--- ++ select WLCORE ++ ---help--- + This module adds support for wireless adapters based on TI wl1271, + wl1273, wl1281 and wl1283 chipsets. This module does *not* include + support for wl1251. For wl1251 support, use the separate homonymous +- driver instead. ++ driver instead. +-- +2.43.0 + diff --git a/queue-5.4/ieee802154-fix-build-error.patch b/queue-5.4/ieee802154-fix-build-error.patch new file mode 100644 index 00000000000..444c091c7ef --- /dev/null +++ b/queue-5.4/ieee802154-fix-build-error.patch @@ -0,0 +1,40 @@ +From 8bd38f413ddb5e4a252f206aef20727b54833d5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 21:17:40 +0800 +Subject: ieee802154: Fix build error + +From: Jinjie Ruan + +[ Upstream commit addf89774e48c992316449ffab4f29c2309ebefb ] + +If REGMAP_SPI is m and IEEE802154_MCR20A is y, + + mcr20a.c:(.text+0x3ed6c5b): undefined reference to `__devm_regmap_init_spi' + ld: mcr20a.c:(.text+0x3ed6cb5): undefined reference to `__devm_regmap_init_spi' + +Select REGMAP_SPI for IEEE802154_MCR20A to fix it. + +Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver") +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/20240909131740.1296608-1-ruanjinjie@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ieee802154/Kconfig b/drivers/net/ieee802154/Kconfig +index c92a62dbf3982..6d1c83fe3e976 100644 +--- a/drivers/net/ieee802154/Kconfig ++++ b/drivers/net/ieee802154/Kconfig +@@ -108,6 +108,7 @@ config IEEE802154_CA8210_DEBUGFS + + config IEEE802154_MCR20A + tristate "MCR20A transceiver driver" ++ select REGMAP_SPI + depends on IEEE802154_DRIVERS && MAC802154 + depends on SPI + ---help--- +-- +2.43.0 + diff --git a/queue-5.4/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch b/queue-5.4/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch new file mode 100644 index 00000000000..62ac2da9672 --- /dev/null +++ b/queue-5.4/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch @@ -0,0 +1,89 @@ +From 5c38a82f76bb61c45e1ee89a00780c1e16dc3681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 02:51:59 +0300 +Subject: ipv4: ip_gre: Fix drops of small packets in ipgre_xmit + +From: Anton Danilov + +[ Upstream commit c4a14f6d9d17ad1e41a36182dd3b8a5fd91efbd7 ] + +Regression Description: + +Depending on the options specified for the GRE tunnel device, small +packets may be dropped. This occurs because the pskb_network_may_pull +function fails due to the packet's insufficient length. + +For example, if only the okey option is specified for the tunnel device, +original (before encapsulation) packets smaller than 28 bytes (including +the IPv4 header) will be dropped. This happens because the required +length is calculated relative to the network header, not the skb->head. + +Here is how the required length is computed and checked: + +* The pull_len variable is set to 28 bytes, consisting of: + * IPv4 header: 20 bytes + * GRE header with Key field: 8 bytes + +* The pskb_network_may_pull function adds the network offset, shifting +the checkable space further to the beginning of the network header and +extending it to the beginning of the packet. As a result, the end of +the checkable space occurs beyond the actual end of the packet. + +Instead of ensuring that 28 bytes are present in skb->head, the function +is requesting these 28 bytes starting from the network header. For small +packets, this requested length exceeds the actual packet size, causing +the check to fail and the packets to be dropped. + +This issue affects both locally originated and forwarded packets in +DMVPN-like setups. + +How to reproduce (for local originated packets): + + ip link add dev gre1 type gre ikey 1.9.8.4 okey 1.9.8.4 \ + local remote 0.0.0.0 + + ip link set mtu 1400 dev gre1 + ip link set up dev gre1 + ip address add 192.168.13.1/24 dev gre1 + ip neighbor add 192.168.13.2 lladdr dev gre1 + ping -s 1374 -c 10 192.168.13.2 + tcpdump -vni gre1 + tcpdump -vni 'ip proto 47' + ip -s -s -d link show dev gre1 + +Solution: + +Use the pskb_may_pull function instead the pskb_network_may_pull. + +Fixes: 80d875cfc9d3 ("ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()") +Signed-off-by: Anton Danilov +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240924235158.106062-1-littlesmilingcloud@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 3aae46b845775..09e9e46259f70 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -635,11 +635,11 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + if (skb_cow_head(skb, 0)) + goto free_skb; + +- tnl_params = (const struct iphdr *)skb->data; +- +- if (!pskb_network_may_pull(skb, pull_len)) ++ if (!pskb_may_pull(skb, pull_len)) + goto free_skb; + ++ tnl_params = (const struct iphdr *)skb->data; ++ + /* ip_tunnel_xmit() needs skb->data pointing to gre header. */ + skb_pull(skb, pull_len); + skb_reset_mac_header(skb); +-- +2.43.0 + diff --git a/queue-5.4/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch b/queue-5.4/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch new file mode 100644 index 00000000000..fad6f0dd1ca --- /dev/null +++ b/queue-5.4/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch @@ -0,0 +1,78 @@ +From f8959b8b0b42bec764a336b77d987723cbe68190 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 23:40:44 +0200 +Subject: mailbox: bcm2835: Fix timeout during suspend mode + +From: Stefan Wahren + +[ Upstream commit dc09f007caed3b2f6a3b6bd7e13777557ae22bfd ] + +During noirq suspend phase the Raspberry Pi power driver suffer of +firmware property timeouts. The reason is that the IRQ of the underlying +BCM2835 mailbox is disabled and rpi_firmware_property_list() will always +run into a timeout [1]. + +Since the VideoCore side isn't consider as a wakeup source, set the +IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled +during suspend-resume cycle. + +[1] +PM: late suspend of devices complete after 1.754 msecs +WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128 + rpi_firmware_property_list+0x204/0x22c +Firmware transaction 0x00028001 timeout +Modules linked in: +CPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17 +Hardware name: BCM2835 +Call trace: +unwind_backtrace from show_stack+0x18/0x1c +show_stack from dump_stack_lvl+0x34/0x44 +dump_stack_lvl from __warn+0x88/0xec +__warn from warn_slowpath_fmt+0x7c/0xb0 +warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c +rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c +rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0 +rpi_firmware_set_power from _genpd_power_off+0xe4/0x148 +_genpd_power_off from genpd_sync_power_off+0x7c/0x11c +genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0 +genpd_finish_suspend from dpm_run_callback+0x78/0xd0 +dpm_run_callback from device_suspend_noirq+0xc0/0x238 +device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168 +dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac +suspend_devices_and_enter from pm_suspend+0x254/0x2e4 +pm_suspend from state_store+0xa8/0xd4 +state_store from kernfs_fop_write_iter+0x154/0x1a0 +kernfs_fop_write_iter from vfs_write+0x12c/0x184 +vfs_write from ksys_write+0x78/0xc0 +ksys_write from ret_fast_syscall+0x0/0x54 +Exception stack(0xcc93dfa8 to 0xcc93dff0) +[...] +PM: noirq suspend of devices complete after 3095.584 msecs + +Link: https://github.com/raspberrypi/firmware/issues/1894 +Fixes: 0bae6af6d704 ("mailbox: Enable BCM2835 mailbox support") +Signed-off-by: Stefan Wahren +Reviewed-by: Florian Fainelli +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/bcm2835-mailbox.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mailbox/bcm2835-mailbox.c b/drivers/mailbox/bcm2835-mailbox.c +index 39761d1905459..5c33c01a9d26a 100644 +--- a/drivers/mailbox/bcm2835-mailbox.c ++++ b/drivers/mailbox/bcm2835-mailbox.c +@@ -146,7 +146,8 @@ static int bcm2835_mbox_probe(struct platform_device *pdev) + spin_lock_init(&mbox->lock); + + ret = devm_request_irq(dev, irq_of_parse_and_map(dev->of_node, 0), +- bcm2835_mbox_irq, 0, dev_name(dev), mbox); ++ bcm2835_mbox_irq, IRQF_NO_SUSPEND, dev_name(dev), ++ mbox); + if (ret) { + dev_err(dev, "Failed to register a mailbox IRQ handler: %d\n", + ret); +-- +2.43.0 + diff --git a/queue-5.4/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch b/queue-5.4/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch new file mode 100644 index 00000000000..982f5d18b4f --- /dev/null +++ b/queue-5.4/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch @@ -0,0 +1,39 @@ +From a348206288c3096b91494489900313b715dd61c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 02:51:47 +0000 +Subject: mailbox: rockchip: fix a typo in module autoloading + +From: Liao Chen + +[ Upstream commit e92d87c9c5d769e4cb1dd7c90faa38dddd7e52e3 ] + +MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match) could let the module +properly autoloaded based on the alias from of_device_id table. It +should be 'rockchip_mbox_of_match' instead of 'rockchp_mbox_of_match', +just fix it. + +Fixes: f70ed3b5dc8b ("mailbox: rockchip: Add Rockchip mailbox driver") +Signed-off-by: Liao Chen +Reviewed-by: Heiko Stuebner +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/rockchip-mailbox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mailbox/rockchip-mailbox.c b/drivers/mailbox/rockchip-mailbox.c +index 979acc810f307..ca50f7f176f6a 100644 +--- a/drivers/mailbox/rockchip-mailbox.c ++++ b/drivers/mailbox/rockchip-mailbox.c +@@ -159,7 +159,7 @@ static const struct of_device_id rockchip_mbox_of_match[] = { + { .compatible = "rockchip,rk3368-mailbox", .data = &rk3368_drv_data}, + { }, + }; +-MODULE_DEVICE_TABLE(of, rockchp_mbox_of_match); ++MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match); + + static int rockchip_mbox_probe(struct platform_device *pdev) + { +-- +2.43.0 + diff --git a/queue-5.4/minor-fixes-to-the-caif-transport-drivers-kconfig-fi.patch b/queue-5.4/minor-fixes-to-the-caif-transport-drivers-kconfig-fi.patch new file mode 100644 index 00000000000..47ed1b1426b --- /dev/null +++ b/queue-5.4/minor-fixes-to-the-caif-transport-drivers-kconfig-fi.patch @@ -0,0 +1,57 @@ +From 64009ecb9d8c587b2ca9444121a653348d0956c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 16:04:01 -0700 +Subject: Minor fixes to the CAIF Transport drivers Kconfig file + +From: rd.dunlab@gmail.com + +[ Upstream commit 0f04f8ea62ce79f5a8bb1a7c2d92513799532239 ] + +Minor fixes to the CAIF Transport drivers Kconfig file: + +- end sentence with period +- capitalize CAIF acronym + +Signed-off-by: Randy Dunlap +Cc: Randy Dunlap +Signed-off-by: David S. Miller +Stable-dep-of: addf89774e48 ("ieee802154: Fix build error") +Signed-off-by: Sasha Levin +--- + drivers/net/caif/Kconfig | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/caif/Kconfig b/drivers/net/caif/Kconfig +index 2b9a2f117113e..66ea15f067025 100644 +--- a/drivers/net/caif/Kconfig ++++ b/drivers/net/caif/Kconfig +@@ -22,7 +22,7 @@ config CAIF_SPI_SLAVE + The CAIF Link layer SPI Protocol driver for Slave SPI interface. + This driver implements a platform driver to accommodate for a + platform specific SPI device. A sample CAIF SPI Platform device is +- provided in Documentation/networking/caif/spi_porting.txt ++ provided in . + + config CAIF_SPI_SYNC + bool "Next command and length in start of frame" +@@ -38,7 +38,7 @@ config CAIF_HSI + depends on CAIF + default n + ---help--- +- The caif low level driver for CAIF over HSI. ++ The CAIF low level driver for CAIF over HSI. + Be aware that if you enable this then you also need to + enable a low-level HSI driver. + +@@ -50,7 +50,7 @@ config CAIF_VIRTIO + select GENERIC_ALLOCATOR + default n + ---help--- +- The caif driver for CAIF over Virtio. ++ The CAIF driver for CAIF over Virtio. + + if CAIF_VIRTIO + source "drivers/vhost/Kconfig.vringh" +-- +2.43.0 + diff --git a/queue-5.4/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch b/queue-5.4/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch new file mode 100644 index 00000000000..dad069114f4 --- /dev/null +++ b/queue-5.4/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch @@ -0,0 +1,64 @@ +From 196e024027a83ed4148ab18b598d5d315a3d5b86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:02:57 +0000 +Subject: net: add more sanity checks to qdisc_pkt_len_init() + +From: Eric Dumazet + +[ Upstream commit ab9a9a9e9647392a19e7a885b08000e89c86b535 ] + +One path takes care of SKB_GSO_DODGY, assuming +skb->len is bigger than hdr_len. + +virtio_net_hdr_to_skb() does not fully dissect TCP headers, +it only make sure it is at least 20 bytes. + +It is possible for an user to provide a malicious 'GSO' packet, +total length of 80 bytes. + +- 20 bytes of IPv4 header +- 60 bytes TCP header +- a small gso_size like 8 + +virtio_net_hdr_to_skb() would declare this packet as a normal +GSO packet, because it would see 40 bytes of payload, +bigger than gso_size. + +We need to make detect this case to not underflow +qdisc_skb_cb(skb)->pkt_len. + +Fixes: 1def9238d4aa ("net_sched: more precise pkt_len computation") +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Reviewed-by: David Ahern +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 5e75359acd0c5..8f2f14df3610b 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3383,10 +3383,14 @@ static void qdisc_pkt_len_init(struct sk_buff *skb) + hdr_len += sizeof(struct udphdr); + } + +- if (shinfo->gso_type & SKB_GSO_DODGY) +- gso_segs = DIV_ROUND_UP(skb->len - hdr_len, +- shinfo->gso_size); ++ if (unlikely(shinfo->gso_type & SKB_GSO_DODGY)) { ++ int payload = skb->len - hdr_len; + ++ /* Malicious packet. */ ++ if (payload <= 0) ++ return; ++ gso_segs = DIV_ROUND_UP(payload, shinfo->gso_size); ++ } + qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; + } + } +-- +2.43.0 + diff --git a/queue-5.4/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch b/queue-5.4/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch new file mode 100644 index 00000000000..3ebeeef2670 --- /dev/null +++ b/queue-5.4/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch @@ -0,0 +1,141 @@ +From ccefb4d45ba8812deca86cffc6cb55e4ef712976 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:02:56 +0000 +Subject: net: avoid potential underflow in qdisc_pkt_len_init() with UFO + +From: Eric Dumazet + +[ Upstream commit c20029db28399ecc50e556964eaba75c43b1e2f1 ] + +After commit 7c6d2ecbda83 ("net: be more gentle about silly gso +requests coming from user") virtio_net_hdr_to_skb() had sanity check +to detect malicious attempts from user space to cook a bad GSO packet. + +Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count +transport header in UFO") while fixing one issue, allowed user space +to cook a GSO packet with the following characteristic : + +IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. + +When this packet arrives in qdisc_pkt_len_init(), we end up +with hdr_len = 28 (IPv4 header + UDP header), matching skb->len + +Then the following sets gso_segs to 0 : + +gso_segs = DIV_ROUND_UP(skb->len - hdr_len, + shinfo->gso_size); + +Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ + +qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; + +This leads to the following crash in fq_codel [1] + +qdisc_pkt_len_init() is best effort, we only want an estimation +of the bytes sent on the wire, not crashing the kernel. + +This patch is fixing this particular issue, a following one +adds more sanity checks for another potential bug. + +[1] +[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 70.724561] #PF: supervisor read access in kernel mode +[ 70.724561] #PF: error_code(0x0000) - not-present page +[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 +[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI +[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 +[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel +[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 +All code +======== + 0: 24 08 and $0x8,%al + 2: 49 c1 e1 06 shl $0x6,%r9 + 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) + b: 45 31 ed xor %r13d,%r13d + e: 45 31 c0 xor %r8d,%r8d + 11: 31 ff xor %edi,%edi + 13: 89 44 24 14 mov %eax,0x14(%rsp) + 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 + 1e: eb 04 jmp 0x24 + 20: 39 ca cmp %ecx,%edx + 22: 73 37 jae 0x5b + 24: 4d 8b 39 mov (%r9),%r15 + 27: 83 c7 01 add $0x1,%edi + 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction + 2d: 49 89 11 mov %rdx,(%r9) + 30: 41 8b 57 28 mov 0x28(%r15),%edx + 34: 45 8b 5f 34 mov 0x34(%r15),%r11d + 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) + 3f: 49 rex.WB + +Code starting with the faulting instruction +=========================================== + 0: 49 8b 17 mov (%r15),%rdx + 3: 49 89 11 mov %rdx,(%r9) + 6: 41 8b 57 28 mov 0x28(%r15),%edx + a: 45 8b 5f 34 mov 0x34(%r15),%r11d + e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) + 15: 49 rex.WB +[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 +[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 +[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 +[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 +[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 +[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 +[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 +[ 70.724561] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 70.724561] CR2: 0000000000000000 CR3: 000000010c568000 CR4: 00000000000006f0 +[ 70.724561] Call Trace: +[ 70.724561] +[ 70.724561] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) +[ 70.724561] ? page_fault_oops (arch/x86/mm/fault.c:715) +[ 70.724561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) +[ 70.724561] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) +[ 70.724561] ? fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel +[ 70.724561] dev_qdisc_enqueue (net/core/dev.c:3784) +[ 70.724561] __dev_queue_xmit (net/core/dev.c:3880 (discriminator 2) net/core/dev.c:4390 (discriminator 2)) +[ 70.724561] ? irqentry_enter (kernel/entry/common.c:237) +[ 70.724561] ? sysvec_apic_timer_interrupt (./arch/x86/include/asm/hardirq.h:74 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2)) +[ 70.724561] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4)) +[ 70.724561] ? asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) +[ 70.724561] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/virtio_net.h:129 (discriminator 1)) +[ 70.724561] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1)) +[ 70.724561] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4)) +[ 70.724561] ? netdev_name_node_lookup_rcu (net/core/dev.c:325 (discriminator 1)) +[ 70.724561] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1)) +[ 70.724561] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355) +[ 70.724561] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1)) +[ 70.724561] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) +[ 70.724561] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 70.724561] RIP: 0033:0x41ae09 + +Fixes: cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jonathan Davies +Reviewed-by: Willem de Bruijn +Reviewed-by: Jonathan Davies +Reviewed-by: David Ahern +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 4f39d97209811..5e75359acd0c5 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3375,7 +3375,7 @@ static void qdisc_pkt_len_init(struct sk_buff *skb) + sizeof(_tcphdr), &_tcphdr); + if (likely(th)) + hdr_len += __tcp_hdrlen(th); +- } else { ++ } else if (shinfo->gso_type & SKB_GSO_UDP_L4) { + struct udphdr _udphdr; + + if (skb_header_pointer(skb, skb_transport_offset(skb), +-- +2.43.0 + diff --git a/queue-5.4/net-ethernet-lantiq_etop-fix-memory-disclosure.patch b/queue-5.4/net-ethernet-lantiq_etop-fix-memory-disclosure.patch new file mode 100644 index 00000000000..30b13f20da2 --- /dev/null +++ b/queue-5.4/net-ethernet-lantiq_etop-fix-memory-disclosure.patch @@ -0,0 +1,52 @@ +From a746dcff6a34f7b281faffdaac35f99067187e89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2024 23:49:49 +0200 +Subject: net: ethernet: lantiq_etop: fix memory disclosure + +From: Aleksander Jan Bajkowski + +[ Upstream commit 45c0de18ff2dc9af01236380404bbd6a46502c69 ] + +When applying padding, the buffer is not zeroed, which results in memory +disclosure. The mentioned data is observed on the wire. This patch uses +skb_put_padto() to pad Ethernet frames properly. The mentioned function +zeroes the expanded buffer. + +In case the packet cannot be padded it is silently dropped. Statistics +are also not incremented. This driver does not support statistics in the +old 32-bit format or the new 64-bit format. These will be added in the +future. In its current form, the patch should be easily backported to +stable versions. + +Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets +in hardware, so software padding must be applied. + +Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver") +Signed-off-by: Aleksander Jan Bajkowski +Reviewed-by: Jacob Keller +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20240923214949.231511-2-olek2@wp.pl +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_etop.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c +index 932796080c7f7..5121e175f313f 100644 +--- a/drivers/net/ethernet/lantiq_etop.c ++++ b/drivers/net/ethernet/lantiq_etop.c +@@ -464,7 +464,9 @@ ltq_etop_tx(struct sk_buff *skb, struct net_device *dev) + unsigned long flags; + u32 byte_offset; + +- len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len; ++ if (skb_put_padto(skb, ETH_ZLEN)) ++ return NETDEV_TX_OK; ++ len = skb->len; + + if ((desc->ctl & (LTQ_DMA_OWN | LTQ_DMA_C)) || ch->skb[ch->dma.desc]) { + netdev_err(dev, "tx ring full\n"); +-- +2.43.0 + diff --git a/queue-5.4/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch b/queue-5.4/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch new file mode 100644 index 00000000000..2c2f2eac8d1 --- /dev/null +++ b/queue-5.4/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch @@ -0,0 +1,48 @@ +From 3a5aba66c7f4083006817c1e541795fcb2f1b2fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 17:42:34 +0800 +Subject: net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit 09573b1cc76e7ff8f056ab29ea1cdc152ec8c653 ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver") +Reviewed-by: Miquel Raynal +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/20240911094234.1922418-1-ruanjinjie@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mcr20a.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ieee802154/mcr20a.c b/drivers/net/ieee802154/mcr20a.c +index 383231b854642..16474990dc01e 100644 +--- a/drivers/net/ieee802154/mcr20a.c ++++ b/drivers/net/ieee802154/mcr20a.c +@@ -1311,16 +1311,13 @@ mcr20a_probe(struct spi_device *spi) + irq_type = IRQF_TRIGGER_FALLING; + + ret = devm_request_irq(&spi->dev, spi->irq, mcr20a_irq_isr, +- irq_type, dev_name(&spi->dev), lp); ++ irq_type | IRQF_NO_AUTOEN, dev_name(&spi->dev), lp); + if (ret) { + dev_err(&spi->dev, "could not request_irq for mcr20a\n"); + ret = -ENODEV; + goto free_dev; + } + +- /* disable_irq by default and wait for starting hardware */ +- disable_irq(spi->irq); +- + ret = ieee802154_register_hw(hw); + if (ret) { + dev_crit(&spi->dev, "ieee802154_register_hw failed\n"); +-- +2.43.0 + diff --git a/queue-5.4/net-mlx5-added-cond_resched-to-crdump-collection.patch b/queue-5.4/net-mlx5-added-cond_resched-to-crdump-collection.patch new file mode 100644 index 00000000000..64618906348 --- /dev/null +++ b/queue-5.4/net-mlx5-added-cond_resched-to-crdump-collection.patch @@ -0,0 +1,83 @@ +From 9dd36c2c4d794390acc517609f65ed59301f1e38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 22:02:48 -0600 +Subject: net/mlx5: Added cond_resched() to crdump collection + +From: Mohamed Khalfella + +[ Upstream commit ec793155894140df7421d25903de2e6bc12c695b ] + +Collecting crdump involves reading vsc registers from pci config space +of mlx device, which can take long time to complete. This might result +in starving other threads waiting to run on the cpu. + +Numbers I got from testing ConnectX-5 Ex MCX516A-CDAT in the lab: + +- mlx5_vsc_gw_read_block_fast() was called with length = 1310716. +- mlx5_vsc_gw_read_fast() reads 4 bytes at a time. It was not used to + read the entire 1310716 bytes. It was called 53813 times because + there are jumps in read_addr. +- On average mlx5_vsc_gw_read_fast() took 35284.4ns. +- In total mlx5_vsc_wait_on_flag() called vsc_read() 54707 times. + The average time for each call was 17548.3ns. In some instances + vsc_read() was called more than one time when the flag was not set. + As expected the thread released the cpu after 16 iterations in + mlx5_vsc_wait_on_flag(). +- Total time to read crdump was 35284.4ns * 53813 ~= 1.898s. + +It was seen in the field that crdump can take more than 5 seconds to +complete. During that time mlx5_vsc_wait_on_flag() did not release the +cpu because it did not complete 16 iterations. It is believed that pci +config reads were slow. Adding cond_resched() every 128 register read +improves the situation. In the common case the, crdump takes ~1.8989s, +the thread yields the cpu every ~4.51ms. If crdump takes ~5s, the thread +yields the cpu every ~18.0ms. + +Fixes: 8b9d8baae1de ("net/mlx5: Add Crdump support") +Reviewed-by: Yuanyuan Zhong +Signed-off-by: Mohamed Khalfella +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c +index d0b595ba61101..432c98f2626db 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c +@@ -24,6 +24,11 @@ + pci_write_config_dword((dev)->pdev, (dev)->vsc_addr + (offset), (val)) + #define VSC_MAX_RETRIES 2048 + ++/* Reading VSC registers can take relatively long time. ++ * Yield the cpu every 128 registers read. ++ */ ++#define VSC_GW_READ_BLOCK_COUNT 128 ++ + enum { + VSC_CTRL_OFFSET = 0x4, + VSC_COUNTER_OFFSET = 0x8, +@@ -273,6 +278,7 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data, + { + unsigned int next_read_addr = 0; + unsigned int read_addr = 0; ++ unsigned int count = 0; + + while (read_addr < length) { + if (mlx5_vsc_gw_read_fast(dev, read_addr, &next_read_addr, +@@ -280,6 +286,10 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data, + return read_addr; + + read_addr = next_read_addr; ++ if (++count == VSC_GW_READ_BLOCK_COUNT) { ++ cond_resched(); ++ count = 0; ++ } + } + return length; + } +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch b/queue-5.4/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch new file mode 100644 index 00000000000..fb43eec09f6 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch @@ -0,0 +1,134 @@ +From 2c38820068a1a2abf0901bbbccb5ae5f91b99287 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 18:56:11 +0000 +Subject: netfilter: nf_tables: prevent nf_skb_duplicated corruption + +From: Eric Dumazet + +[ Upstream commit 92ceba94de6fb4cee2bf40b485979c342f44a492 ] + +syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write +per-cpu variable nf_skb_duplicated in an unsafe way [1]. + +Disabling preemption as hinted by the splat is not enough, +we have to disable soft interrupts as well. + +[1] +BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316 + caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 +CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 + check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49 + nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 + nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 + nf_hook+0x2c4/0x450 include/linux/netfilter.h:269 + NF_HOOK_COND include/linux/netfilter.h:302 [inline] + ip_output+0x185/0x230 net/ipv4/ip_output.c:433 + ip_local_out net/ipv4/ip_output.c:129 [inline] + ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495 + udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981 + udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x1a6/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 + ___sys_sendmsg net/socket.c:2651 [inline] + __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 + __do_sys_sendmmsg net/socket.c:2766 [inline] + __se_sys_sendmmsg net/socket.c:2763 [inline] + __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f4ce4f7def9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9 +RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006 +RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68 + + +Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/nf_dup_ipv4.c | 7 +++++-- + net/ipv6/netfilter/nf_dup_ipv6.c | 7 +++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c +index 6cc5743c553a0..9a21175693db5 100644 +--- a/net/ipv4/netfilter/nf_dup_ipv4.c ++++ b/net/ipv4/netfilter/nf_dup_ipv4.c +@@ -52,8 +52,9 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + { + struct iphdr *iph; + ++ local_bh_disable(); + if (this_cpu_read(nf_skb_duplicated)) +- return; ++ goto out; + /* + * Copy the skb, and route the copy. Will later return %XT_CONTINUE for + * the original skb, which should continue on its way as if nothing has +@@ -61,7 +62,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + */ + skb = pskb_copy(skb, GFP_ATOMIC); + if (skb == NULL) +- return; ++ goto out; + + #if IS_ENABLED(CONFIG_NF_CONNTRACK) + /* Avoid counting cloned packets towards the original connection. */ +@@ -90,6 +91,8 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + } else { + kfree_skb(skb); + } ++out: ++ local_bh_enable(); + } + EXPORT_SYMBOL_GPL(nf_dup_ipv4); + +diff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c +index a0a2de30be3e7..0c39c77fe8a8a 100644 +--- a/net/ipv6/netfilter/nf_dup_ipv6.c ++++ b/net/ipv6/netfilter/nf_dup_ipv6.c +@@ -47,11 +47,12 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb, + void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, + const struct in6_addr *gw, int oif) + { ++ local_bh_disable(); + if (this_cpu_read(nf_skb_duplicated)) +- return; ++ goto out; + skb = pskb_copy(skb, GFP_ATOMIC); + if (skb == NULL) +- return; ++ goto out; + + #if IS_ENABLED(CONFIG_NF_CONNTRACK) + nf_reset_ct(skb); +@@ -69,6 +70,8 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, + } else { + kfree_skb(skb); + } ++out: ++ local_bh_enable(); + } + EXPORT_SYMBOL_GPL(nf_dup_ipv6); + +-- +2.43.0 + diff --git a/queue-5.4/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch b/queue-5.4/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch new file mode 100644 index 00000000000..ff2134b5a0e --- /dev/null +++ b/queue-5.4/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch @@ -0,0 +1,35 @@ +From a8abbdc089094a23c1d84438d2f8e35d739fa97b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 20:01:20 +0200 +Subject: netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED + +From: Phil Sutter + +[ Upstream commit 76f1ed087b562a469f2153076f179854b749c09a ] + +Fix the comment which incorrectly defines it as NLA_U32. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/nf_tables.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index 3e6c61d026e35..0ddfe330f6425 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -1516,7 +1516,7 @@ enum nft_object_attributes { + * + * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING) + * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING) +- * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32) ++ * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED) + * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32) + * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64) + */ +-- +2.43.0 + diff --git a/queue-5.4/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch b/queue-5.4/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch new file mode 100644 index 00000000000..8f7454d916a --- /dev/null +++ b/queue-5.4/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch @@ -0,0 +1,56 @@ +From 5bf90a0c85433e810c066e4f24b0d99b18cb0fba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 16:49:51 -0400 +Subject: sctp: set sk_state back to CLOSED if autobind fails in + sctp_listen_start + +From: Xin Long + +[ Upstream commit 8beee4d8dee76b67c75dc91fd8185d91e845c160 ] + +In sctp_listen_start() invoked by sctp_inet_listen(), it should set the +sk_state back to CLOSED if sctp_autobind() fails due to whatever reason. + +Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse +is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will +be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash +is NULL. + + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617 + Call Trace: + + __sys_listen_socket net/socket.c:1883 [inline] + __sys_listen+0x1b7/0x230 net/socket.c:1894 + __do_sys_listen net/socket.c:1902 [inline] + +Fixes: 5e8f3f703ae4 ("sctp: simplify sctp listening code") +Reported-by: syzbot+f4e0f821e3a3b7cee51d@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Link: https://patch.msgid.link/a93e655b3c153dc8945d7a812e6d8ab0d52b7aa0.1727729391.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 614130ff6ba06..eef807edd61da 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -8396,8 +8396,10 @@ static int sctp_listen_start(struct sock *sk, int backlog) + */ + inet_sk_set_state(sk, SCTP_SS_LISTENING); + if (!ep->base.bind_addr.port) { +- if (sctp_autobind(sk)) ++ if (sctp_autobind(sk)) { ++ inet_sk_set_state(sk, SCTP_SS_CLOSED); + return -EAGAIN; ++ } + } else { + if (sctp_get_port(sk, inet_sk(sk)->inet_num)) { + inet_sk_set_state(sk, SCTP_SS_CLOSED); +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 9ccb55a4ac5..bc6632d0917 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -175,3 +175,20 @@ mm-only-enforce-minimum-stack-gap-size-if-it-s-sensible.patch i2c-aspeed-update-the-stop-sw-state-when-the-bus-recovery-occurs.patch i2c-isch-add-missed-else.patch usb-yurex-fix-inconsistent-locking-bug-in-yurex_read.patch +mailbox-rockchip-fix-a-typo-in-module-autoloading.patch +mailbox-bcm2835-fix-timeout-during-suspend-mode.patch +ceph-remove-the-incorrect-fw-reference-check-when-di.patch +minor-fixes-to-the-caif-transport-drivers-kconfig-fi.patch +drivers-net-fix-kconfig-indentation-continued.patch +ieee802154-fix-build-error.patch +net-mlx5-added-cond_resched-to-crdump-collection.patch +netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch +net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch +netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch +bluetooth-btmrvl_sdio-refactor-irq-wakeup.patch +bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch +net-ethernet-lantiq_etop-fix-memory-disclosure.patch +net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch +net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch +ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch +sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch