From: Sasha Levin Date: Fri, 22 Dec 2023 22:48:14 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v5.15.145~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0ebea22e81c3988793470f080f667df5ff3fb494;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/afs-fix-dynamic-root-lookup-dns-check.patch b/queue-6.1/afs-fix-dynamic-root-lookup-dns-check.patch new file mode 100644 index 00000000000..03dd3e64bda --- /dev/null +++ b/queue-6.1/afs-fix-dynamic-root-lookup-dns-check.patch @@ -0,0 +1,75 @@ +From e764e3f7685ecc11a2c8e1a3a26cf7c28c6bea86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 15:15:02 +0000 +Subject: afs: Fix dynamic root lookup DNS check + +From: David Howells + +[ Upstream commit 74cef6872ceaefb5b6c5c60641371ea28702d358 ] + +In the afs dynamic root directory, the ->lookup() function does a DNS check +on the cell being asked for and if the DNS upcall reports an error it will +report an error back to userspace (typically ENOENT). + +However, if a failed DNS upcall returns a new-style result, it will return +a valid result, with the status field set appropriately to indicate the +type of failure - and in that case, dns_query() doesn't return an error and +we let stat() complete with no error - which can cause confusion in +userspace as subsequent calls that trigger d_automount then fail with +ENOENT. + +Fix this by checking the status result from a valid dns_query() and +returning an error if it indicates a failure. + +Fixes: bbb4c4323a4d ("dns: Allow the dns resolver to retrieve a server set") +Reported-by: Markus Suvanto +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216637 +Signed-off-by: David Howells +Tested-by: Markus Suvanto +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index 910c8a7a685ce..9937993cf29dc 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -114,6 +114,7 @@ static int afs_probe_cell_name(struct dentry *dentry) + struct afs_net *net = afs_d2net(dentry); + const char *name = dentry->d_name.name; + size_t len = dentry->d_name.len; ++ char *result = NULL; + int ret; + + /* Names prefixed with a dot are R/W mounts. */ +@@ -131,9 +132,22 @@ static int afs_probe_cell_name(struct dentry *dentry) + } + + ret = dns_query(net->net, "afsdb", name, len, "srv=1", +- NULL, NULL, false); +- if (ret == -ENODATA || ret == -ENOKEY) ++ &result, NULL, false); ++ if (ret == -ENODATA || ret == -ENOKEY || ret == 0) + ret = -ENOENT; ++ if (ret > 0 && ret >= sizeof(struct dns_server_list_v1_header)) { ++ struct dns_server_list_v1_header *v1 = (void *)result; ++ ++ if (v1->hdr.zero == 0 && ++ v1->hdr.content == DNS_PAYLOAD_IS_SERVER_LIST && ++ v1->hdr.version == 1 && ++ (v1->status != DNS_LOOKUP_GOOD && ++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) ++ return -ENOENT; ++ ++ } ++ ++ kfree(result); + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.1/afs-fix-overwriting-of-result-of-dns-query.patch b/queue-6.1/afs-fix-overwriting-of-result-of-dns-query.patch new file mode 100644 index 00000000000..4ea31cf2595 --- /dev/null +++ b/queue-6.1/afs-fix-overwriting-of-result-of-dns-query.patch @@ -0,0 +1,58 @@ +From 0f0eae27bcdaff7e295417bc757966b3e6ed193b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 15:09:31 +0000 +Subject: afs: Fix overwriting of result of DNS query + +From: David Howells + +[ Upstream commit a9e01ac8c5ff32669119c40dfdc9e80eb0b7d7aa ] + +In afs_update_cell(), ret is the result of the DNS lookup and the errors +are to be handled by a switch - however, the value gets clobbered in +between by setting it to -ENOMEM in case afs_alloc_vlserver_list() +fails. + +Fix this by moving the setting of -ENOMEM into the error handling for +OOM failure. Further, only do it if we don't have an alternative error +to return. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. Based +on a patch from Anastasia Belova [1]. + +Fixes: d5c32c89b208 ("afs: Fix cell DNS lookup") +Signed-off-by: David Howells +Reviewed-by: Jeffrey Altman +cc: Anastasia Belova +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +cc: lvc-project@linuxtesting.org +Link: https://lore.kernel.org/r/20231221085849.1463-1-abelova@astralinux.ru/ [1] +Link: https://lore.kernel.org/r/1700862.1703168632@warthog.procyon.org.uk/ # v1 +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/cell.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/cell.c b/fs/afs/cell.c +index 988c2ac7cecec..926cb1188eba6 100644 +--- a/fs/afs/cell.c ++++ b/fs/afs/cell.c +@@ -409,10 +409,12 @@ static int afs_update_cell(struct afs_cell *cell) + if (ret == -ENOMEM) + goto out_wake; + +- ret = -ENOMEM; + vllist = afs_alloc_vlserver_list(0); +- if (!vllist) ++ if (!vllist) { ++ if (ret >= 0) ++ ret = -ENOMEM; + goto out_wake; ++ } + + switch (ret) { + case -ENODATA: +-- +2.43.0 + diff --git a/queue-6.1/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch b/queue-6.1/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch new file mode 100644 index 00000000000..c559f6c31ff --- /dev/null +++ b/queue-6.1/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch @@ -0,0 +1,53 @@ +From 1d4ab22498e9b04a6f9bfbb6718f4b42e1432949 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 15:08:57 +0000 +Subject: afs: Fix the dynamic root's d_delete to always delete unused dentries + +From: David Howells + +[ Upstream commit 71f8b55bc30e82d6355e07811213d847981a32e2 ] + +Fix the afs dynamic root's d_delete function to always delete unused +dentries rather than only deleting them if they're positive. With things +as they stand upstream, negative dentries stemming from failed DNS lookups +stick around preventing retries. + +Fixes: 66c7e1d319a5 ("afs: Split the dynroot stuff out and give it its own ops tables") +Signed-off-by: David Howells +Tested-by: Markus Suvanto +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index 91e804c70dd0a..910c8a7a685ce 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -252,20 +252,9 @@ static int afs_dynroot_d_revalidate(struct dentry *dentry, unsigned int flags) + return 1; + } + +-/* +- * Allow the VFS to enquire as to whether a dentry should be unhashed (mustn't +- * sleep) +- * - called from dput() when d_count is going to 0. +- * - return 1 to request dentry be unhashed, 0 otherwise +- */ +-static int afs_dynroot_d_delete(const struct dentry *dentry) +-{ +- return d_really_is_positive(dentry); +-} +- + const struct dentry_operations afs_dynroot_dentry_operations = { + .d_revalidate = afs_dynroot_d_revalidate, +- .d_delete = afs_dynroot_d_delete, ++ .d_delete = always_delete_dentry, + .d_release = afs_d_release, + .d_automount = afs_d_automount, + }; +-- +2.43.0 + diff --git a/queue-6.1/afs-fix-use-after-free-due-to-get-remove-race-in-vol.patch b/queue-6.1/afs-fix-use-after-free-due-to-get-remove-race-in-vol.patch new file mode 100644 index 00000000000..ad88d0d4a8b --- /dev/null +++ b/queue-6.1/afs-fix-use-after-free-due-to-get-remove-race-in-vol.patch @@ -0,0 +1,128 @@ +From 7a8d7d64a37240605efb45bed4a90ce8aaff70a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 13:57:31 +0000 +Subject: afs: Fix use-after-free due to get/remove race in volume tree + +From: David Howells + +[ Upstream commit 9a6b294ab496650e9f270123730df37030911b55 ] + +When an afs_volume struct is put, its refcount is reduced to 0 before +the cell->volume_lock is taken and the volume removed from the +cell->volumes tree. + +Unfortunately, this means that the lookup code can race and see a volume +with a zero ref in the tree, resulting in a use-after-free: + + refcount_t: addition on 0; use-after-free. + WARNING: CPU: 3 PID: 130782 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0xda + ... + RIP: 0010:refcount_warn_saturate+0x7a/0xda + ... + Call Trace: + afs_get_volume+0x3d/0x55 + afs_create_volume+0x126/0x1de + afs_validate_fc+0xfe/0x130 + afs_get_tree+0x20/0x2e5 + vfs_get_tree+0x1d/0xc9 + do_new_mount+0x13b/0x22e + do_mount+0x5d/0x8a + __do_sys_mount+0x100/0x12a + do_syscall_64+0x3a/0x94 + entry_SYSCALL_64_after_hwframe+0x62/0x6a + +Fix this by: + + (1) When putting, use a flag to indicate if the volume has been removed + from the tree and skip the rb_erase if it has. + + (2) When looking up, use a conditional ref increment and if it fails + because the refcount is 0, replace the node in the tree and set the + removal flag. + +Fixes: 20325960f875 ("afs: Reorganise volume and server trees to be rooted on the cell") +Signed-off-by: David Howells +Reviewed-by: Jeffrey Altman +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/internal.h | 2 ++ + fs/afs/volume.c | 26 +++++++++++++++++++++++--- + 2 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index c2d70fc1698c0..fcbb598d8c85d 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -585,6 +585,7 @@ struct afs_volume { + #define AFS_VOLUME_OFFLINE 4 /* - T if volume offline notice given */ + #define AFS_VOLUME_BUSY 5 /* - T if volume busy notice given */ + #define AFS_VOLUME_MAYBE_NO_IBULK 6 /* - T if some servers don't have InlineBulkStatus */ ++#define AFS_VOLUME_RM_TREE 7 /* - Set if volume removed from cell->volumes */ + #ifdef CONFIG_AFS_FSCACHE + struct fscache_volume *cache; /* Caching cookie */ + #endif +@@ -1517,6 +1518,7 @@ extern struct afs_vlserver_list *afs_extract_vlserver_list(struct afs_cell *, + extern struct afs_volume *afs_create_volume(struct afs_fs_context *); + extern int afs_activate_volume(struct afs_volume *); + extern void afs_deactivate_volume(struct afs_volume *); ++bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason); + extern struct afs_volume *afs_get_volume(struct afs_volume *, enum afs_volume_trace); + extern void afs_put_volume(struct afs_net *, struct afs_volume *, enum afs_volume_trace); + extern int afs_check_volume_status(struct afs_volume *, struct afs_operation *); +diff --git a/fs/afs/volume.c b/fs/afs/volume.c +index f4937029dcd72..1c9144e3e83ac 100644 +--- a/fs/afs/volume.c ++++ b/fs/afs/volume.c +@@ -32,8 +32,13 @@ static struct afs_volume *afs_insert_volume_into_cell(struct afs_cell *cell, + } else if (p->vid > volume->vid) { + pp = &(*pp)->rb_right; + } else { +- volume = afs_get_volume(p, afs_volume_trace_get_cell_insert); +- goto found; ++ if (afs_try_get_volume(p, afs_volume_trace_get_cell_insert)) { ++ volume = p; ++ goto found; ++ } ++ ++ set_bit(AFS_VOLUME_RM_TREE, &volume->flags); ++ rb_replace_node_rcu(&p->cell_node, &volume->cell_node, &cell->volumes); + } + } + +@@ -56,7 +61,8 @@ static void afs_remove_volume_from_cell(struct afs_volume *volume) + afs_volume_trace_remove); + write_seqlock(&cell->volume_lock); + hlist_del_rcu(&volume->proc_link); +- rb_erase(&volume->cell_node, &cell->volumes); ++ if (!test_and_set_bit(AFS_VOLUME_RM_TREE, &volume->flags)) ++ rb_erase(&volume->cell_node, &cell->volumes); + write_sequnlock(&cell->volume_lock); + } + } +@@ -235,6 +241,20 @@ static void afs_destroy_volume(struct afs_net *net, struct afs_volume *volume) + _leave(" [destroyed]"); + } + ++/* ++ * Try to get a reference on a volume record. ++ */ ++bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason) ++{ ++ int r; ++ ++ if (__refcount_inc_not_zero(&volume->ref, &r)) { ++ trace_afs_volume(volume->vid, r + 1, reason); ++ return true; ++ } ++ return false; ++} ++ + /* + * Get a reference on a volume record. + */ +-- +2.43.0 + diff --git a/queue-6.1/arm-dts-dra7-fix-dra7-l3-noc-node-register-size.patch b/queue-6.1/arm-dts-dra7-fix-dra7-l3-noc-node-register-size.patch new file mode 100644 index 00000000000..43432aadf3d --- /dev/null +++ b/queue-6.1/arm-dts-dra7-fix-dra7-l3-noc-node-register-size.patch @@ -0,0 +1,38 @@ +From a0cf7e6a807e3f85c91ba114e895bd3c6c03e289 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Nov 2023 12:16:04 -0600 +Subject: ARM: dts: dra7: Fix DRA7 L3 NoC node register size + +From: Andrew Davis + +[ Upstream commit 1e5caee2ba8f1426e8098afb4ca38dc40a0ca71b ] + +This node can access any part of the L3 configuration registers space, +including CLK1 and CLK2 which are 0x800000 offset. Restore this area +size to include these areas. + +Fixes: 7f2659ce657e ("ARM: dts: Move dra7 l3 noc to a separate node") +Signed-off-by: Andrew Davis +Message-ID: <20231113181604.546444-1-afd@ti.com> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/dra7.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/dra7.dtsi b/arch/arm/boot/dts/dra7.dtsi +index 97ce0c4f1df7e..a79920ec461f0 100644 +--- a/arch/arm/boot/dts/dra7.dtsi ++++ b/arch/arm/boot/dts/dra7.dtsi +@@ -144,7 +144,7 @@ + + l3-noc@44000000 { + compatible = "ti,dra7-l3-noc"; +- reg = <0x44000000 0x1000>, ++ reg = <0x44000000 0x1000000>, + <0x45000000 0x1000>; + interrupts-extended = <&crossbar_mpu GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>, + <&wakeupgen GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>; +-- +2.43.0 + diff --git a/queue-6.1/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch b/queue-6.1/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch new file mode 100644 index 00000000000..5c27c3a8bd5 --- /dev/null +++ b/queue-6.1/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch @@ -0,0 +1,50 @@ +From c205d41e85f9981dea115739bae12f1463da7ecb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 22:52:37 +0800 +Subject: ARM: OMAP2+: Fix null pointer dereference and memory leak in + omap_soc_device_init + +From: Kunwu Chan + +[ Upstream commit c72b9c33ef9695ad7ce7a6eb39a9df8a01b70796 ] + +kasprintf() returns a pointer to dynamically allocated memory which can +be NULL upon failure. When 'soc_dev_attr->family' is NULL,it'll trigger +the null pointer dereference issue, such as in 'soc_info_show'. + +And when 'soc_device_register' fails, it's necessary to release +'soc_dev_attr->family' to avoid memory leaks. + +Fixes: 6770b2114325 ("ARM: OMAP2+: Export SoC information to userspace") +Signed-off-by: Kunwu Chan +Message-ID: <20231123145237.609442-1-chentao@kylinos.cn> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/id.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/mach-omap2/id.c b/arch/arm/mach-omap2/id.c +index 59755b5a1ad7a..75091aa7269ae 100644 +--- a/arch/arm/mach-omap2/id.c ++++ b/arch/arm/mach-omap2/id.c +@@ -793,11 +793,16 @@ void __init omap_soc_device_init(void) + + soc_dev_attr->machine = soc_name; + soc_dev_attr->family = omap_get_family(); ++ if (!soc_dev_attr->family) { ++ kfree(soc_dev_attr); ++ return; ++ } + soc_dev_attr->revision = soc_rev; + soc_dev_attr->custom_attr_group = omap_soc_groups[0]; + + soc_dev = soc_device_register(soc_dev_attr); + if (IS_ERR(soc_dev)) { ++ kfree(soc_dev_attr->family); + kfree(soc_dev_attr); + return; + } +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-fix-deadlock-in-vhci_send_frame.patch b/queue-6.1/bluetooth-fix-deadlock-in-vhci_send_frame.patch new file mode 100644 index 00000000000..89f014fe80e --- /dev/null +++ b/queue-6.1/bluetooth-fix-deadlock-in-vhci_send_frame.patch @@ -0,0 +1,133 @@ +From 0339b3b0ffdd44f585eaf9fdf67001361a3278bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Nov 2023 01:46:05 +0000 +Subject: Bluetooth: Fix deadlock in vhci_send_frame + +From: Ying Hsu + +[ Upstream commit 769bf60e17ee1a56a81e7c031192c3928312c52e ] + +syzbot found a potential circular dependency leading to a deadlock: + -> #3 (&hdev->req_lock){+.+.}-{3:3}: + __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599 + __mutex_lock kernel/locking/mutex.c:732 [inline] + mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784 + hci_dev_do_close+0x3f/0x9f net/bluetooth/hci_core.c:551 + hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935 + rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345 + rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274 + vfs_write+0x277/0xcf5 fs/read_write.c:594 + ksys_write+0x19b/0x2bd fs/read_write.c:650 + do_syscall_x64 arch/x86/entry/common.c:55 [inline] + do_syscall_64+0x51/0xba arch/x86/entry/common.c:93 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + + -> #2 (rfkill_global_mutex){+.+.}-{3:3}: + __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599 + __mutex_lock kernel/locking/mutex.c:732 [inline] + mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784 + rfkill_register+0x30/0x7e3 net/rfkill/core.c:1045 + hci_register_dev+0x48f/0x96d net/bluetooth/hci_core.c:2622 + __vhci_create_device drivers/bluetooth/hci_vhci.c:341 [inline] + vhci_create_device+0x3ad/0x68f drivers/bluetooth/hci_vhci.c:374 + vhci_get_user drivers/bluetooth/hci_vhci.c:431 [inline] + vhci_write+0x37b/0x429 drivers/bluetooth/hci_vhci.c:511 + call_write_iter include/linux/fs.h:2109 [inline] + new_sync_write fs/read_write.c:509 [inline] + vfs_write+0xaa8/0xcf5 fs/read_write.c:596 + ksys_write+0x19b/0x2bd fs/read_write.c:650 + do_syscall_x64 arch/x86/entry/common.c:55 [inline] + do_syscall_64+0x51/0xba arch/x86/entry/common.c:93 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + + -> #1 (&data->open_mutex){+.+.}-{3:3}: + __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599 + __mutex_lock kernel/locking/mutex.c:732 [inline] + mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784 + vhci_send_frame+0x68/0x9c drivers/bluetooth/hci_vhci.c:75 + hci_send_frame+0x1cc/0x2ff net/bluetooth/hci_core.c:2989 + hci_sched_acl_pkt net/bluetooth/hci_core.c:3498 [inline] + hci_sched_acl net/bluetooth/hci_core.c:3583 [inline] + hci_tx_work+0xb94/0x1a60 net/bluetooth/hci_core.c:3654 + process_one_work+0x901/0xfb8 kernel/workqueue.c:2310 + worker_thread+0xa67/0x1003 kernel/workqueue.c:2457 + kthread+0x36a/0x430 kernel/kthread.c:319 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 + + -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: + check_prev_add kernel/locking/lockdep.c:3053 [inline] + check_prevs_add kernel/locking/lockdep.c:3172 [inline] + validate_chain kernel/locking/lockdep.c:3787 [inline] + __lock_acquire+0x2d32/0x77fa kernel/locking/lockdep.c:5011 + lock_acquire+0x273/0x4d5 kernel/locking/lockdep.c:5622 + __flush_work+0xee/0x19f kernel/workqueue.c:3090 + hci_dev_close_sync+0x32f/0x1113 net/bluetooth/hci_sync.c:4352 + hci_dev_do_close+0x47/0x9f net/bluetooth/hci_core.c:553 + hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935 + rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345 + rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274 + vfs_write+0x277/0xcf5 fs/read_write.c:594 + ksys_write+0x19b/0x2bd fs/read_write.c:650 + do_syscall_x64 arch/x86/entry/common.c:55 [inline] + do_syscall_64+0x51/0xba arch/x86/entry/common.c:93 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + +This change removes the need for acquiring the open_mutex in +vhci_send_frame, thus eliminating the potential deadlock while +maintaining the required packet ordering. + +Fixes: 92d4abd66f70 ("Bluetooth: vhci: Fix race when opening vhci device") +Signed-off-by: Ying Hsu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_vhci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c +index 4415d850d698b..44dc91555aa00 100644 +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -11,6 +11,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -44,6 +45,7 @@ struct vhci_data { + bool wakeup; + __u16 msft_opcode; + bool aosp_capable; ++ atomic_t initialized; + }; + + static int vhci_open_dev(struct hci_dev *hdev) +@@ -75,11 +77,10 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb) + + memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1); + +- mutex_lock(&data->open_mutex); + skb_queue_tail(&data->readq, skb); +- mutex_unlock(&data->open_mutex); + +- wake_up_interruptible(&data->read_wait); ++ if (atomic_read(&data->initialized)) ++ wake_up_interruptible(&data->read_wait); + return 0; + } + +@@ -363,7 +364,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + skb_put_u8(skb, 0xff); + skb_put_u8(skb, opcode); + put_unaligned_le16(hdev->id, skb_put(skb, 2)); +- skb_queue_tail(&data->readq, skb); ++ skb_queue_head(&data->readq, skb); ++ atomic_inc(&data->initialized); + + wake_up_interruptible(&data->read_wait); + return 0; +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-hci_event-shut-up-a-false-positive-warning.patch b/queue-6.1/bluetooth-hci_event-shut-up-a-false-positive-warning.patch new file mode 100644 index 00000000000..baefb6b1de9 --- /dev/null +++ b/queue-6.1/bluetooth-hci_event-shut-up-a-false-positive-warning.patch @@ -0,0 +1,51 @@ +From 4b4870b16776a4abede8b33c9caf6d35901d94d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 23:17:44 +0100 +Subject: Bluetooth: hci_event: shut up a false-positive warning + +From: Arnd Bergmann + +[ Upstream commit a5812c68d849505ea657f653446512b85887f813 ] + +Turning on -Wstringop-overflow globally exposed a misleading compiler +warning in bluetooth: + +net/bluetooth/hci_event.c: In function 'hci_cc_read_class_of_dev': +net/bluetooth/hci_event.c:524:9: error: 'memcpy' writing 3 bytes into a +region of size 0 overflows the destination [-Werror=stringop-overflow=] + 524 | memcpy(hdev->dev_class, rp->dev_class, 3); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The problem here is the check for hdev being NULL in bt_dev_dbg() that +leads the compiler to conclude that hdev->dev_class might be an invalid +pointer access. + +Add another explicit check for the same condition to make sure gcc sees +this cannot happen. + +Fixes: a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only opcodes") +Fixes: 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") +Signed-off-by: Arnd Bergmann +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index c86a45344fe28..5e406e8716a0e 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -515,6 +515,9 @@ static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data, + { + struct hci_rp_read_class_of_dev *rp = data; + ++ if (WARN_ON(!hdev)) ++ return HCI_ERROR_UNSPECIFIED; ++ + bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); + + if (rp->status) +-- +2.43.0 + diff --git a/queue-6.1/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch b/queue-6.1/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch new file mode 100644 index 00000000000..f4597954a19 --- /dev/null +++ b/queue-6.1/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch @@ -0,0 +1,44 @@ +From dc43bbffaae138f7a058c82af8b72768d69a2d8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 21:04:04 +0800 +Subject: ethernet: atheros: fix a memleak in atl1e_setup_ring_resources + +From: Zhipeng Lu + +[ Upstream commit 309fdb1c33fe726d92d0030481346f24e1b01f07 ] + +In the error handling of 'offset > adapter->ring_size', the +tx_ring->tx_buffer allocated by kzalloc should be freed, +instead of 'goto failed' instantly. + +Fixes: a6a5325239c2 ("atl1e: Atheros L1E Gigabit Ethernet driver") +Signed-off-by: Zhipeng Lu +Reviewed-by: Suman Ghosh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +index 5935be190b9e2..5f2a6fcba9670 100644 +--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +@@ -866,10 +866,13 @@ static int atl1e_setup_ring_resources(struct atl1e_adapter *adapter) + netdev_err(adapter->netdev, "offset(%d) > ring size(%d) !!\n", + offset, adapter->ring_size); + err = -1; +- goto failed; ++ goto free_buffer; + } + + return 0; ++free_buffer: ++ kfree(tx_ring->tx_buffer); ++ tx_ring->tx_buffer = NULL; + failed: + if (adapter->ring_vir_addr != NULL) { + dma_free_coherent(&pdev->dev, adapter->ring_size, +-- +2.43.0 + diff --git a/queue-6.1/keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch b/queue-6.1/keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch new file mode 100644 index 00000000000..2a1705c1562 --- /dev/null +++ b/queue-6.1/keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch @@ -0,0 +1,281 @@ +From b6fb72f2f996ecead19058839a0c666272e2915d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Dec 2023 00:41:55 +0000 +Subject: keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on + expiry + +From: David Howells + +[ Upstream commit 39299bdd2546688d92ed9db4948f6219ca1b9542 ] + +If a key has an expiration time, then when that time passes, the key is +left around for a certain amount of time before being collected (5 mins by +default) so that EKEYEXPIRED can be returned instead of ENOKEY. This is a +problem for DNS keys because we want to redo the DNS lookup immediately at +that point. + +Fix this by allowing key types to be marked such that keys of that type +don't have this extra period, but are reclaimed as soon as they expire and +turn this on for dns_resolver-type keys. To make this easier to handle, +key->expiry is changed to be permanent if TIME64_MAX rather than 0. + +Furthermore, give such new-style negative DNS results a 1s default expiry +if no other expiry time is set rather than allowing it to stick around +indefinitely. This shouldn't be zero as ls will follow a failing stat call +immediately with a second with AT_SYMLINK_NOFOLLOW added. + +Fixes: 1a4240f4764a ("DNS: Separate out CIFS DNS Resolver code") +Signed-off-by: David Howells +Tested-by: Markus Suvanto +cc: Wang Lei +cc: Jeff Layton +cc: Steve French +cc: Marc Dionne +cc: Jarkko Sakkinen +cc: "David S. Miller" +cc: Eric Dumazet +cc: Jakub Kicinski +cc: Paolo Abeni +cc: linux-afs@lists.infradead.org +cc: linux-cifs@vger.kernel.org +cc: linux-nfs@vger.kernel.org +cc: ceph-devel@vger.kernel.org +cc: keyrings@vger.kernel.org +cc: netdev@vger.kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/key-type.h | 1 + + net/dns_resolver/dns_key.c | 10 +++++++++- + security/keys/gc.c | 31 +++++++++++++++++++++---------- + security/keys/internal.h | 11 ++++++++++- + security/keys/key.c | 15 +++++---------- + security/keys/proc.c | 2 +- + 6 files changed, 47 insertions(+), 23 deletions(-) + +diff --git a/include/linux/key-type.h b/include/linux/key-type.h +index 7d985a1dfe4af..5caf3ce823733 100644 +--- a/include/linux/key-type.h ++++ b/include/linux/key-type.h +@@ -73,6 +73,7 @@ struct key_type { + + unsigned int flags; + #define KEY_TYPE_NET_DOMAIN 0x00000001 /* Keys of this type have a net namespace domain */ ++#define KEY_TYPE_INSTANT_REAP 0x00000002 /* Keys of this type don't have a delay after expiring */ + + /* vet a description */ + int (*vet_description)(const char *description); +diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c +index 3aced951d5ab8..03f8f33dc134c 100644 +--- a/net/dns_resolver/dns_key.c ++++ b/net/dns_resolver/dns_key.c +@@ -91,6 +91,7 @@ const struct cred *dns_resolver_cache; + static int + dns_resolver_preparse(struct key_preparsed_payload *prep) + { ++ const struct dns_server_list_v1_header *v1; + const struct dns_payload_header *bin; + struct user_key_payload *upayload; + unsigned long derrno; +@@ -122,6 +123,13 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) + return -EINVAL; + } + ++ v1 = (const struct dns_server_list_v1_header *)bin; ++ if ((v1->status != DNS_LOOKUP_GOOD && ++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) { ++ if (prep->expiry == TIME64_MAX) ++ prep->expiry = ktime_get_real_seconds() + 1; ++ } ++ + result_len = datalen; + goto store_result; + } +@@ -314,7 +322,7 @@ static long dns_resolver_read(const struct key *key, + + struct key_type key_type_dns_resolver = { + .name = "dns_resolver", +- .flags = KEY_TYPE_NET_DOMAIN, ++ .flags = KEY_TYPE_NET_DOMAIN | KEY_TYPE_INSTANT_REAP, + .preparse = dns_resolver_preparse, + .free_preparse = dns_resolver_free_preparse, + .instantiate = generic_key_instantiate, +diff --git a/security/keys/gc.c b/security/keys/gc.c +index 3c90807476eb0..eaddaceda14ea 100644 +--- a/security/keys/gc.c ++++ b/security/keys/gc.c +@@ -66,6 +66,19 @@ void key_schedule_gc(time64_t gc_at) + } + } + ++/* ++ * Set the expiration time on a key. ++ */ ++void key_set_expiry(struct key *key, time64_t expiry) ++{ ++ key->expiry = expiry; ++ if (expiry != TIME64_MAX) { ++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) ++ expiry += key_gc_delay; ++ key_schedule_gc(expiry); ++ } ++} ++ + /* + * Schedule a dead links collection run. + */ +@@ -176,7 +189,6 @@ static void key_garbage_collector(struct work_struct *work) + static u8 gc_state; /* Internal persistent state */ + #define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */ + #define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */ +-#define KEY_GC_SET_TIMER 0x04 /* - We need to restart the timer */ + #define KEY_GC_REAPING_DEAD_1 0x10 /* - We need to mark dead keys */ + #define KEY_GC_REAPING_DEAD_2 0x20 /* - We need to reap dead key links */ + #define KEY_GC_REAPING_DEAD_3 0x40 /* - We need to reap dead keys */ +@@ -184,21 +196,17 @@ static void key_garbage_collector(struct work_struct *work) + + struct rb_node *cursor; + struct key *key; +- time64_t new_timer, limit; ++ time64_t new_timer, limit, expiry; + + kenter("[%lx,%x]", key_gc_flags, gc_state); + + limit = ktime_get_real_seconds(); +- if (limit > key_gc_delay) +- limit -= key_gc_delay; +- else +- limit = key_gc_delay; + + /* Work out what we're going to be doing in this pass */ + gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2; + gc_state <<= 1; + if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags)) +- gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER; ++ gc_state |= KEY_GC_REAPING_LINKS; + + if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags)) + gc_state |= KEY_GC_REAPING_DEAD_1; +@@ -233,8 +241,11 @@ static void key_garbage_collector(struct work_struct *work) + } + } + +- if (gc_state & KEY_GC_SET_TIMER) { +- if (key->expiry > limit && key->expiry < new_timer) { ++ expiry = key->expiry; ++ if (expiry != TIME64_MAX) { ++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) ++ expiry += key_gc_delay; ++ if (expiry > limit && expiry < new_timer) { + kdebug("will expire %x in %lld", + key_serial(key), key->expiry - limit); + new_timer = key->expiry; +@@ -276,7 +287,7 @@ static void key_garbage_collector(struct work_struct *work) + */ + kdebug("pass complete"); + +- if (gc_state & KEY_GC_SET_TIMER && new_timer != (time64_t)TIME64_MAX) { ++ if (new_timer != TIME64_MAX) { + new_timer += key_gc_delay; + key_schedule_gc(new_timer); + } +diff --git a/security/keys/internal.h b/security/keys/internal.h +index 3c1e7122076b9..ec2ec335b6133 100644 +--- a/security/keys/internal.h ++++ b/security/keys/internal.h +@@ -174,6 +174,7 @@ extern unsigned key_gc_delay; + extern void keyring_gc(struct key *keyring, time64_t limit); + extern void keyring_restriction_gc(struct key *keyring, + struct key_type *dead_type); ++void key_set_expiry(struct key *key, time64_t expiry); + extern void key_schedule_gc(time64_t gc_at); + extern void key_schedule_gc_links(void); + extern void key_gc_keytype(struct key_type *ktype); +@@ -222,10 +223,18 @@ extern struct key *key_get_instantiation_authkey(key_serial_t target_id); + */ + static inline bool key_is_dead(const struct key *key, time64_t limit) + { ++ time64_t expiry = key->expiry; ++ ++ if (expiry != TIME64_MAX) { ++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) ++ expiry += key_gc_delay; ++ if (expiry <= limit) ++ return true; ++ } ++ + return + key->flags & ((1 << KEY_FLAG_DEAD) | + (1 << KEY_FLAG_INVALIDATED)) || +- (key->expiry > 0 && key->expiry <= limit) || + key->domain_tag->removed; + } + +diff --git a/security/keys/key.c b/security/keys/key.c +index c45afdd1dfbb4..e65240641ca57 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -294,6 +294,7 @@ struct key *key_alloc(struct key_type *type, const char *desc, + key->uid = uid; + key->gid = gid; + key->perm = perm; ++ key->expiry = TIME64_MAX; + key->restrict_link = restrict_link; + key->last_used_at = ktime_get_real_seconds(); + +@@ -463,10 +464,7 @@ static int __key_instantiate_and_link(struct key *key, + if (authkey) + key_invalidate(authkey); + +- if (prep->expiry != TIME64_MAX) { +- key->expiry = prep->expiry; +- key_schedule_gc(prep->expiry + key_gc_delay); +- } ++ key_set_expiry(key, prep->expiry); + } + } + +@@ -606,8 +604,7 @@ int key_reject_and_link(struct key *key, + atomic_inc(&key->user->nikeys); + mark_key_instantiated(key, -error); + notify_key(key, NOTIFY_KEY_INSTANTIATED, -error); +- key->expiry = ktime_get_real_seconds() + timeout; +- key_schedule_gc(key->expiry + key_gc_delay); ++ key_set_expiry(key, ktime_get_real_seconds() + timeout); + + if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) + awaken = 1; +@@ -722,16 +719,14 @@ struct key_type *key_type_lookup(const char *type) + + void key_set_timeout(struct key *key, unsigned timeout) + { +- time64_t expiry = 0; ++ time64_t expiry = TIME64_MAX; + + /* make the changes with the locks held to prevent races */ + down_write(&key->sem); + + if (timeout > 0) + expiry = ktime_get_real_seconds() + timeout; +- +- key->expiry = expiry; +- key_schedule_gc(key->expiry + key_gc_delay); ++ key_set_expiry(key, expiry); + + up_write(&key->sem); + } +diff --git a/security/keys/proc.c b/security/keys/proc.c +index d0cde6685627f..4f4e2c1824f18 100644 +--- a/security/keys/proc.c ++++ b/security/keys/proc.c +@@ -198,7 +198,7 @@ static int proc_keys_show(struct seq_file *m, void *v) + + /* come up with a suitable timeout value */ + expiry = READ_ONCE(key->expiry); +- if (expiry == 0) { ++ if (expiry == TIME64_MAX) { + memcpy(xbuf, "perm", 5); + } else if (now >= expiry) { + memcpy(xbuf, "expd", 5); +-- +2.43.0 + diff --git a/queue-6.1/net-check-dev-gso_max_size-in-gso_features_check.patch b/queue-6.1/net-check-dev-gso_max_size-in-gso_features_check.patch new file mode 100644 index 00000000000..43ec6b3e368 --- /dev/null +++ b/queue-6.1/net-check-dev-gso_max_size-in-gso_features_check.patch @@ -0,0 +1,49 @@ +From 49aa05537cf207288821bf6f16f4cc5888554670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 12:53:31 +0000 +Subject: net: check dev->gso_max_size in gso_features_check() + +From: Eric Dumazet + +[ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ] + +Some drivers might misbehave if TSO packets get too big. + +GVE for instance uses a 16bit field in its TX descriptor, +and will do bad things if a packet is bigger than 2^16 bytes. + +Linux TCP stack honors dev->gso_max_size, but there are +other ways for too big packets to reach an ndo_start_xmit() +handler : virtio_net, af_packet, GRO... + +Add a generic check in gso_features_check() and fallback +to GSO when needed. + +gso_max_size was added in the blamed commit. + +Fixes: 82cc1a7a5687 ("[NET]: Add per-connection option to set max TSO frame size") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 0d5aa820fd830..0a5566b6f8a25 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3551,6 +3551,9 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb, + if (gso_segs > READ_ONCE(dev->gso_max_segs)) + return features & ~NETIF_F_GSO_MASK; + ++ if (unlikely(skb->len >= READ_ONCE(dev->gso_max_size))) ++ return features & ~NETIF_F_GSO_MASK; ++ + if (!skb_shinfo(skb)->gso_type) { + skb_warn_bad_offload(skb); + return features & ~NETIF_F_GSO_MASK; +-- +2.43.0 + diff --git a/queue-6.1/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch b/queue-6.1/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch new file mode 100644 index 00000000000..55eb632314d --- /dev/null +++ b/queue-6.1/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch @@ -0,0 +1,99 @@ +From d5b572757848b7157e7567154d0e97ee21095db3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 15:52:18 +0800 +Subject: net: check vlan filter feature in vlan_vids_add_by_dev() and + vlan_vids_del_by_dev() + +From: Liu Jian + +[ Upstream commit 01a564bab4876007ce35f312e16797dfe40e4823 ] + +I got the below warning trace: + +WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify +CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0 +Call Trace: + rtnl_dellink + rtnetlink_rcv_msg + netlink_rcv_skb + netlink_unicast + netlink_sendmsg + __sock_sendmsg + ____sys_sendmsg + ___sys_sendmsg + __sys_sendmsg + do_syscall_64 + entry_SYSCALL_64_after_hwframe + +It can be repoduced via: + + ip netns add ns1 + ip netns exec ns1 ip link add bond0 type bond mode 0 + ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2 + ip netns exec ns1 ip link set bond_slave_1 master bond0 +[1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off +[2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0 +[3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0 +[4] ip netns exec ns1 ip link set bond_slave_1 nomaster +[5] ip netns exec ns1 ip link del veth2 + ip netns del ns1 + +This is all caused by command [1] turning off the rx-vlan-filter function +of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix +incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands +[2] [3] add the same vid to slave and master respectively, causing +command [4] to empty slave->vlan_info. The following command [5] triggers +this problem. + +To fix this problem, we should add VLAN_FILTER feature checks in +vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect +addition or deletion of vlan_vid information. + +Fixes: 348a1443cc43 ("vlan: introduce functions to do mass addition/deletion of vids by another device") +Signed-off-by: Liu Jian +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c +index 0beb44f2fe1f0..f001582345052 100644 +--- a/net/8021q/vlan_core.c ++++ b/net/8021q/vlan_core.c +@@ -407,6 +407,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, + return 0; + + list_for_each_entry(vid_info, &vlan_info->vid_list, list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + err = vlan_vid_add(dev, vid_info->proto, vid_info->vid); + if (err) + goto unwind; +@@ -417,6 +419,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, + list_for_each_entry_continue_reverse(vid_info, + &vlan_info->vid_list, + list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + vlan_vid_del(dev, vid_info->proto, vid_info->vid); + } + +@@ -436,8 +440,11 @@ void vlan_vids_del_by_dev(struct net_device *dev, + if (!vlan_info) + return; + +- list_for_each_entry(vid_info, &vlan_info->vid_list, list) ++ list_for_each_entry(vid_info, &vlan_info->vid_list, list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + vlan_vid_del(dev, vid_info->proto, vid_info->vid); ++ } + } + EXPORT_SYMBOL(vlan_vids_del_by_dev); + +-- +2.43.0 + diff --git a/queue-6.1/net-mana-select-page_pool.patch b/queue-6.1/net-mana-select-page_pool.patch new file mode 100644 index 00000000000..228a4d21f51 --- /dev/null +++ b/queue-6.1/net-mana-select-page_pool.patch @@ -0,0 +1,49 @@ +From 1220617da92a464c1931b2264e795590ee6da7ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 12:33:53 -0800 +Subject: net: mana: select PAGE_POOL + +From: Yury Norov + +[ Upstream commit 340943fbff3d8faa44d2223ca04917df28786a07 ] + +Mana uses PAGE_POOL API. x86_64 defconfig doesn't select it: + +ld: vmlinux.o: in function `mana_create_page_pool.isra.0': +mana_en.c:(.text+0x9ae36f): undefined reference to `page_pool_create' +ld: vmlinux.o: in function `mana_get_rxfrag': +mana_en.c:(.text+0x9afed1): undefined reference to `page_pool_alloc_pages' +make[3]: *** [/home/yury/work/linux/scripts/Makefile.vmlinux:37: vmlinux] Error 1 +make[2]: *** [/home/yury/work/linux/Makefile:1154: vmlinux] Error 2 +make[1]: *** [/home/yury/work/linux/Makefile:234: __sub-make] Error 2 +make[1]: Leaving directory '/home/yury/work/build-linux-x86_64' +make: *** [Makefile:234: __sub-make] Error 2 + +So we need to select it explicitly. + +Signed-off-by: Yury Norov +Reviewed-by: Simon Horman +Tested-by: Simon Horman # build-tested +Fixes: ca9c54d2 ("net: mana: Add a driver for Microsoft Azure Network Adapter") +Link: https://lore.kernel.org/r/20231215203353.635379-1-yury.norov@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/microsoft/Kconfig b/drivers/net/ethernet/microsoft/Kconfig +index fe4e7a7d9c0b5..8b6c4cc37c53c 100644 +--- a/drivers/net/ethernet/microsoft/Kconfig ++++ b/drivers/net/ethernet/microsoft/Kconfig +@@ -19,6 +19,7 @@ config MICROSOFT_MANA + tristate "Microsoft Azure Network Adapter (MANA) support" + depends on PCI_MSI && X86_64 + depends on PCI_HYPERV ++ select PAGE_POOL + help + This driver supports Microsoft Azure Network Adapter (MANA). + So far, the driver is only supported on X86_64. +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5-fix-fw-tracer-first-block-check.patch b/queue-6.1/net-mlx5-fix-fw-tracer-first-block-check.patch new file mode 100644 index 00000000000..140b1827831 --- /dev/null +++ b/queue-6.1/net-mlx5-fix-fw-tracer-first-block-check.patch @@ -0,0 +1,39 @@ +From 84fb9bf3970ef052523a042eec33b9b32014a669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 11:30:34 +0200 +Subject: net/mlx5: Fix fw tracer first block check + +From: Moshe Shemesh + +[ Upstream commit 4261edf11cb7c9224af713a102e5616329306932 ] + +While handling new traces, to verify it is not the first block being +written, last_timestamp is checked. But instead of checking it is non +zero it is verified to be zero. Fix to verify last_timestamp is not +zero. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Signed-off-by: Moshe Shemesh +Reviewed-by: Feras Daoud +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index 374c0011a127b..3ba54ffa54bfe 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -691,7 +691,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + + while (block_timestamp > tracer->last_timestamp) { + /* Check block override if it's not the first block */ +- if (!tracer->last_timestamp) { ++ if (tracer->last_timestamp) { + u64 *ts_event; + /* To avoid block override be the HW in case of buffer + * wraparound, the time stamp of the previous block +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5-introduce-and-use-opcode-getter-in-command-.patch b/queue-6.1/net-mlx5-introduce-and-use-opcode-getter-in-command-.patch new file mode 100644 index 00000000000..7f13919fce6 --- /dev/null +++ b/queue-6.1/net-mlx5-introduce-and-use-opcode-getter-in-command-.patch @@ -0,0 +1,273 @@ +From a289d942f7e007f32be8d984a513bde37f5c384a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jan 2023 09:45:24 +0200 +Subject: net/mlx5: Introduce and use opcode getter in command interface + +From: Tariq Toukan + +[ Upstream commit 7cb5eb937231663d11f7817e366f6f86a142d6d3 ] + +Introduce an opcode getter in the FW command interface, and use it. +Initialize the entry's opcode field early in cmd_alloc_ent() and use it +when possible. + +Signed-off-by: Tariq Toukan +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Stable-dep-of: 8f5100da56b3 ("net/mlx5e: Fix a race in command alloc flow") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 88 +++++++++---------- + 1 file changed, 42 insertions(+), 46 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index b3253e263ebc8..edc42f0b3e74d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -48,6 +48,25 @@ + #define CREATE_TRACE_POINTS + #include "diag/cmd_tracepoint.h" + ++struct mlx5_ifc_mbox_out_bits { ++ u8 status[0x8]; ++ u8 reserved_at_8[0x18]; ++ ++ u8 syndrome[0x20]; ++ ++ u8 reserved_at_40[0x40]; ++}; ++ ++struct mlx5_ifc_mbox_in_bits { ++ u8 opcode[0x10]; ++ u8 uid[0x10]; ++ ++ u8 reserved_at_20[0x10]; ++ u8 op_mod[0x10]; ++ ++ u8 reserved_at_40[0x40]; ++}; ++ + enum { + CMD_IF_REV = 5, + }; +@@ -71,6 +90,11 @@ enum { + MLX5_CMD_DELIVERY_STAT_CMD_DESCR_ERR = 0x10, + }; + ++static u16 in_to_opcode(void *in) ++{ ++ return MLX5_GET(mbox_in, in, opcode); ++} ++ + static struct mlx5_cmd_work_ent * + cmd_alloc_ent(struct mlx5_cmd *cmd, struct mlx5_cmd_msg *in, + struct mlx5_cmd_msg *out, void *uout, int uout_size, +@@ -92,6 +116,7 @@ cmd_alloc_ent(struct mlx5_cmd *cmd, struct mlx5_cmd_msg *in, + ent->context = context; + ent->cmd = cmd; + ent->page_queue = page_queue; ++ ent->op = in_to_opcode(in->first.data); + refcount_set(&ent->refcnt, 1); + + return ent; +@@ -753,25 +778,6 @@ static int cmd_status_to_err(u8 status) + } + } + +-struct mlx5_ifc_mbox_out_bits { +- u8 status[0x8]; +- u8 reserved_at_8[0x18]; +- +- u8 syndrome[0x20]; +- +- u8 reserved_at_40[0x40]; +-}; +- +-struct mlx5_ifc_mbox_in_bits { +- u8 opcode[0x10]; +- u8 uid[0x10]; +- +- u8 reserved_at_20[0x10]; +- u8 op_mod[0x10]; +- +- u8 reserved_at_40[0x40]; +-}; +- + void mlx5_cmd_out_err(struct mlx5_core_dev *dev, u16 opcode, u16 op_mod, void *out) + { + u32 syndrome = MLX5_GET(mbox_out, out, syndrome); +@@ -789,7 +795,7 @@ static void cmd_status_print(struct mlx5_core_dev *dev, void *in, void *out) + u16 opcode, op_mod; + u16 uid; + +- opcode = MLX5_GET(mbox_in, in, opcode); ++ opcode = in_to_opcode(in); + op_mod = MLX5_GET(mbox_in, in, op_mod); + uid = MLX5_GET(mbox_in, in, uid); + +@@ -801,7 +807,7 @@ int mlx5_cmd_check(struct mlx5_core_dev *dev, int err, void *in, void *out) + { + /* aborted due to PCI error or via reset flow mlx5_cmd_trigger_completions() */ + if (err == -ENXIO) { +- u16 opcode = MLX5_GET(mbox_in, in, opcode); ++ u16 opcode = in_to_opcode(in); + u32 syndrome; + u8 status; + +@@ -830,9 +836,9 @@ static void dump_command(struct mlx5_core_dev *dev, + struct mlx5_cmd_work_ent *ent, int input) + { + struct mlx5_cmd_msg *msg = input ? ent->in : ent->out; +- u16 op = MLX5_GET(mbox_in, ent->lay->in, opcode); + struct mlx5_cmd_mailbox *next = msg->next; + int n = mlx5_calc_cmd_blocks(msg); ++ u16 op = ent->op; + int data_only; + u32 offset = 0; + int dump_len; +@@ -884,11 +890,6 @@ static void dump_command(struct mlx5_core_dev *dev, + mlx5_core_dbg(dev, "cmd[%d]: end dump\n", ent->idx); + } + +-static u16 msg_to_opcode(struct mlx5_cmd_msg *in) +-{ +- return MLX5_GET(mbox_in, in->first.data, opcode); +-} +- + static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool forced); + + static void cb_timeout_handler(struct work_struct *work) +@@ -906,13 +907,13 @@ static void cb_timeout_handler(struct work_struct *work) + /* Maybe got handled by eq recover ? */ + if (!test_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state)) { + mlx5_core_warn(dev, "cmd[%d]: %s(0x%x) Async, recovered after timeout\n", ent->idx, +- mlx5_command_str(msg_to_opcode(ent->in)), msg_to_opcode(ent->in)); ++ mlx5_command_str(ent->op), ent->op); + goto out; /* phew, already handled */ + } + + ent->ret = -ETIMEDOUT; + mlx5_core_warn(dev, "cmd[%d]: %s(0x%x) Async, timeout. Will cause a leak of a command resource\n", +- ent->idx, mlx5_command_str(msg_to_opcode(ent->in)), msg_to_opcode(ent->in)); ++ ent->idx, mlx5_command_str(ent->op), ent->op); + mlx5_cmd_comp_handler(dev, 1ULL << ent->idx, true); + + out: +@@ -986,7 +987,6 @@ static void cmd_work_handler(struct work_struct *work) + ent->lay = lay; + memset(lay, 0, sizeof(*lay)); + memcpy(lay->in, ent->in->first.data, sizeof(lay->in)); +- ent->op = be32_to_cpu(lay->in[0]) >> 16; + if (ent->in->next) + lay->in_ptr = cpu_to_be64(ent->in->next->dma); + lay->inlen = cpu_to_be32(ent->in->len); +@@ -1099,12 +1099,12 @@ static void wait_func_handle_exec_timeout(struct mlx5_core_dev *dev, + */ + if (wait_for_completion_timeout(&ent->done, timeout)) { + mlx5_core_warn(dev, "cmd[%d]: %s(0x%x) recovered after timeout\n", ent->idx, +- mlx5_command_str(msg_to_opcode(ent->in)), msg_to_opcode(ent->in)); ++ mlx5_command_str(ent->op), ent->op); + return; + } + + mlx5_core_warn(dev, "cmd[%d]: %s(0x%x) No done completion\n", ent->idx, +- mlx5_command_str(msg_to_opcode(ent->in)), msg_to_opcode(ent->in)); ++ mlx5_command_str(ent->op), ent->op); + + ent->ret = -ETIMEDOUT; + mlx5_cmd_comp_handler(dev, 1ULL << ent->idx, true); +@@ -1131,12 +1131,10 @@ static int wait_func(struct mlx5_core_dev *dev, struct mlx5_cmd_work_ent *ent) + + if (err == -ETIMEDOUT) { + mlx5_core_warn(dev, "%s(0x%x) timeout. Will cause a leak of a command resource\n", +- mlx5_command_str(msg_to_opcode(ent->in)), +- msg_to_opcode(ent->in)); ++ mlx5_command_str(ent->op), ent->op); + } else if (err == -ECANCELED) { + mlx5_core_warn(dev, "%s(0x%x) canceled on out of queue timeout.\n", +- mlx5_command_str(msg_to_opcode(ent->in)), +- msg_to_opcode(ent->in)); ++ mlx5_command_str(ent->op), ent->op); + } + mlx5_core_dbg(dev, "err %d, delivery status %s(%d)\n", + err, deliv_status_to_str(ent->status), ent->status); +@@ -1170,7 +1168,6 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, + u8 status = 0; + int err = 0; + s64 ds; +- u16 op; + + if (callback && page_queue) + return -EINVAL; +@@ -1210,9 +1207,8 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, + goto out_free; + + ds = ent->ts2 - ent->ts1; +- op = MLX5_GET(mbox_in, in->first.data, opcode); +- if (op < MLX5_CMD_OP_MAX) { +- stats = &cmd->stats[op]; ++ if (ent->op < MLX5_CMD_OP_MAX) { ++ stats = &cmd->stats[ent->op]; + spin_lock_irq(&stats->lock); + stats->sum += ds; + ++stats->n; +@@ -1220,7 +1216,7 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, + } + mlx5_core_dbg_mask(dev, 1 << MLX5_CMD_TIME, + "fw exec time for %s is %lld nsec\n", +- mlx5_command_str(op), ds); ++ mlx5_command_str(ent->op), ds); + + out_free: + status = ent->status; +@@ -1817,7 +1813,7 @@ static struct mlx5_cmd_msg *alloc_msg(struct mlx5_core_dev *dev, int in_size, + + static int is_manage_pages(void *in) + { +- return MLX5_GET(mbox_in, in, opcode) == MLX5_CMD_OP_MANAGE_PAGES; ++ return in_to_opcode(in) == MLX5_CMD_OP_MANAGE_PAGES; + } + + /* Notes: +@@ -1828,8 +1824,8 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out, + int out_size, mlx5_cmd_cbk_t callback, void *context, + bool force_polling) + { +- u16 opcode = MLX5_GET(mbox_in, in, opcode); + struct mlx5_cmd_msg *inb, *outb; ++ u16 opcode = in_to_opcode(in); + int pages_queue; + gfp_t gfp; + u8 token; +@@ -1952,8 +1948,8 @@ static int cmd_status_err(struct mlx5_core_dev *dev, int err, u16 opcode, u16 op + int mlx5_cmd_do(struct mlx5_core_dev *dev, void *in, int in_size, void *out, int out_size) + { + int err = cmd_exec(dev, in, in_size, out, out_size, NULL, NULL, false); +- u16 opcode = MLX5_GET(mbox_in, in, opcode); + u16 op_mod = MLX5_GET(mbox_in, in, op_mod); ++ u16 opcode = in_to_opcode(in); + + return cmd_status_err(dev, err, opcode, op_mod, out); + } +@@ -1998,8 +1994,8 @@ int mlx5_cmd_exec_polling(struct mlx5_core_dev *dev, void *in, int in_size, + void *out, int out_size) + { + int err = cmd_exec(dev, in, in_size, out, out_size, NULL, NULL, true); +- u16 opcode = MLX5_GET(mbox_in, in, opcode); + u16 op_mod = MLX5_GET(mbox_in, in, op_mod); ++ u16 opcode = in_to_opcode(in); + + err = cmd_status_err(dev, err, opcode, op_mod, out); + return mlx5_cmd_check(dev, err, in, out); +@@ -2051,7 +2047,7 @@ int mlx5_cmd_exec_cb(struct mlx5_async_ctx *ctx, void *in, int in_size, + + work->ctx = ctx; + work->user_callback = callback; +- work->opcode = MLX5_GET(mbox_in, in, opcode); ++ work->opcode = in_to_opcode(in); + work->op_mod = MLX5_GET(mbox_in, in, op_mod); + work->out = out; + if (WARN_ON(!atomic_inc_not_zero(&ctx->num_inflight))) +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5-prevent-high-rate-fw-commands-from-populati.patch b/queue-6.1/net-mlx5-prevent-high-rate-fw-commands-from-populati.patch new file mode 100644 index 00000000000..faeda0b30df --- /dev/null +++ b/queue-6.1/net-mlx5-prevent-high-rate-fw-commands-from-populati.patch @@ -0,0 +1,121 @@ +From 318ffb90aa14004ffe47744138af6dcce4452d7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 14:47:30 +0300 +Subject: net/mlx5: Prevent high-rate FW commands from populating all slots + +From: Tariq Toukan + +[ Upstream commit 63fbae0a74c3e1df7c20c81e04353ced050d9887 ] + +Certain connection-based device-offload protocols (like TLS) use +per-connection HW objects to track the state, maintain the context, and +perform the offload properly. Some of these objects are created, +modified, and destroyed via FW commands. Under high connection rate, +this type of FW commands might continuously populate all slots of the FW +command interface and throttle it, while starving other critical control +FW commands. + +Limit these throttle commands to using only up to a portion (half) of +the FW command interface slots. FW commands maximal rate is not hit, and +the same high rate is still reached when applying this limitation. + +Signed-off-by: Tariq Toukan +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Stable-dep-of: 8f5100da56b3 ("net/mlx5e: Fix a race in command alloc flow") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 30 ++++++++++++++++++- + include/linux/mlx5/driver.h | 1 + + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index edc42f0b3e74d..84f926064cf7b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -95,6 +95,21 @@ static u16 in_to_opcode(void *in) + return MLX5_GET(mbox_in, in, opcode); + } + ++/* Returns true for opcodes that might be triggered very frequently and throttle ++ * the command interface. Limit their command slots usage. ++ */ ++static bool mlx5_cmd_is_throttle_opcode(u16 op) ++{ ++ switch (op) { ++ case MLX5_CMD_OP_CREATE_GENERAL_OBJECT: ++ case MLX5_CMD_OP_DESTROY_GENERAL_OBJECT: ++ case MLX5_CMD_OP_MODIFY_GENERAL_OBJECT: ++ case MLX5_CMD_OP_QUERY_GENERAL_OBJECT: ++ return true; ++ } ++ return false; ++} ++ + static struct mlx5_cmd_work_ent * + cmd_alloc_ent(struct mlx5_cmd *cmd, struct mlx5_cmd_msg *in, + struct mlx5_cmd_msg *out, void *uout, int uout_size, +@@ -1826,6 +1841,7 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out, + { + struct mlx5_cmd_msg *inb, *outb; + u16 opcode = in_to_opcode(in); ++ bool throttle_op; + int pages_queue; + gfp_t gfp; + u8 token; +@@ -1834,13 +1850,21 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out, + if (mlx5_cmd_is_down(dev) || !opcode_allowed(&dev->cmd, opcode)) + return -ENXIO; + ++ throttle_op = mlx5_cmd_is_throttle_opcode(opcode); ++ if (throttle_op) { ++ /* atomic context may not sleep */ ++ if (callback) ++ return -EINVAL; ++ down(&dev->cmd.throttle_sem); ++ } ++ + pages_queue = is_manage_pages(in); + gfp = callback ? GFP_ATOMIC : GFP_KERNEL; + + inb = alloc_msg(dev, in_size, gfp); + if (IS_ERR(inb)) { + err = PTR_ERR(inb); +- return err; ++ goto out_up; + } + + token = alloc_token(&dev->cmd); +@@ -1874,6 +1898,9 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out, + mlx5_free_cmd_msg(dev, outb); + out_in: + free_msg(dev, inb); ++out_up: ++ if (throttle_op) ++ up(&dev->cmd.throttle_sem); + return err; + } + +@@ -2218,6 +2245,7 @@ int mlx5_cmd_init(struct mlx5_core_dev *dev) + + sema_init(&cmd->sem, cmd->max_reg_cmds); + sema_init(&cmd->pages_sem, 1); ++ sema_init(&cmd->throttle_sem, DIV_ROUND_UP(cmd->max_reg_cmds, 2)); + + cmd_h = (u32)((u64)(cmd->dma) >> 32); + cmd_l = (u32)(cmd->dma); +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 3660ce6a93496..ce019c337f67f 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -308,6 +308,7 @@ struct mlx5_cmd { + struct workqueue_struct *wq; + struct semaphore sem; + struct semaphore pages_sem; ++ struct semaphore throttle_sem; + int mode; + u16 allowed_opcode; + struct mlx5_cmd_work_ent *ent_arr[MLX5_MAX_COMMANDS]; +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5-re-organize-mlx5_cmd-struct.patch b/queue-6.1/net-mlx5-re-organize-mlx5_cmd-struct.patch new file mode 100644 index 00000000000..5761b387864 --- /dev/null +++ b/queue-6.1/net-mlx5-re-organize-mlx5_cmd-struct.patch @@ -0,0 +1,337 @@ +From 99ab2af911689d2c12eea3f7977a983e6a76e64b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 16:52:17 +0200 +Subject: net/mlx5: Re-organize mlx5_cmd struct + +From: Shay Drory + +[ Upstream commit 58db72869a9f8e01910844ca145efc2ea91bbbf9 ] + +Downstream patch will split mlx5_cmd_init() to probe and reload +routines. As a preparation, organize mlx5_cmd struct so that any +field that will be used in the reload routine are grouped at new +nested struct. + +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Stable-dep-of: 8f5100da56b3 ("net/mlx5e: Fix a race in command alloc flow") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 94 +++++++++---------- + .../net/ethernet/mellanox/mlx5/core/debugfs.c | 4 +- + include/linux/mlx5/driver.h | 21 +++-- + 3 files changed, 60 insertions(+), 59 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 84f926064cf7b..e89d4fb7774bb 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -162,18 +162,18 @@ static int cmd_alloc_index(struct mlx5_cmd *cmd) + int ret; + + spin_lock_irqsave(&cmd->alloc_lock, flags); +- ret = find_first_bit(&cmd->bitmask, cmd->max_reg_cmds); +- if (ret < cmd->max_reg_cmds) +- clear_bit(ret, &cmd->bitmask); ++ ret = find_first_bit(&cmd->vars.bitmask, cmd->vars.max_reg_cmds); ++ if (ret < cmd->vars.max_reg_cmds) ++ clear_bit(ret, &cmd->vars.bitmask); + spin_unlock_irqrestore(&cmd->alloc_lock, flags); + +- return ret < cmd->max_reg_cmds ? ret : -ENOMEM; ++ return ret < cmd->vars.max_reg_cmds ? ret : -ENOMEM; + } + + static void cmd_free_index(struct mlx5_cmd *cmd, int idx) + { + lockdep_assert_held(&cmd->alloc_lock); +- set_bit(idx, &cmd->bitmask); ++ set_bit(idx, &cmd->vars.bitmask); + } + + static void cmd_ent_get(struct mlx5_cmd_work_ent *ent) +@@ -192,7 +192,7 @@ static void cmd_ent_put(struct mlx5_cmd_work_ent *ent) + + if (ent->idx >= 0) { + cmd_free_index(cmd, ent->idx); +- up(ent->page_queue ? &cmd->pages_sem : &cmd->sem); ++ up(ent->page_queue ? &cmd->vars.pages_sem : &cmd->vars.sem); + } + + cmd_free_ent(ent); +@@ -202,7 +202,7 @@ static void cmd_ent_put(struct mlx5_cmd_work_ent *ent) + + static struct mlx5_cmd_layout *get_inst(struct mlx5_cmd *cmd, int idx) + { +- return cmd->cmd_buf + (idx << cmd->log_stride); ++ return cmd->cmd_buf + (idx << cmd->vars.log_stride); + } + + static int mlx5_calc_cmd_blocks(struct mlx5_cmd_msg *msg) +@@ -971,7 +971,7 @@ static void cmd_work_handler(struct work_struct *work) + cb_timeout = msecs_to_jiffies(mlx5_tout_ms(dev, CMD)); + + complete(&ent->handling); +- sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; ++ sem = ent->page_queue ? &cmd->vars.pages_sem : &cmd->vars.sem; + down(sem); + if (!ent->page_queue) { + alloc_ret = cmd_alloc_index(cmd); +@@ -991,9 +991,9 @@ static void cmd_work_handler(struct work_struct *work) + } + ent->idx = alloc_ret; + } else { +- ent->idx = cmd->max_reg_cmds; ++ ent->idx = cmd->vars.max_reg_cmds; + spin_lock_irqsave(&cmd->alloc_lock, flags); +- clear_bit(ent->idx, &cmd->bitmask); ++ clear_bit(ent->idx, &cmd->vars.bitmask); + spin_unlock_irqrestore(&cmd->alloc_lock, flags); + } + +@@ -1569,15 +1569,15 @@ void mlx5_cmd_allowed_opcode(struct mlx5_core_dev *dev, u16 opcode) + struct mlx5_cmd *cmd = &dev->cmd; + int i; + +- for (i = 0; i < cmd->max_reg_cmds; i++) +- down(&cmd->sem); +- down(&cmd->pages_sem); ++ for (i = 0; i < cmd->vars.max_reg_cmds; i++) ++ down(&cmd->vars.sem); ++ down(&cmd->vars.pages_sem); + + cmd->allowed_opcode = opcode; + +- up(&cmd->pages_sem); +- for (i = 0; i < cmd->max_reg_cmds; i++) +- up(&cmd->sem); ++ up(&cmd->vars.pages_sem); ++ for (i = 0; i < cmd->vars.max_reg_cmds; i++) ++ up(&cmd->vars.sem); + } + + static void mlx5_cmd_change_mod(struct mlx5_core_dev *dev, int mode) +@@ -1585,15 +1585,15 @@ static void mlx5_cmd_change_mod(struct mlx5_core_dev *dev, int mode) + struct mlx5_cmd *cmd = &dev->cmd; + int i; + +- for (i = 0; i < cmd->max_reg_cmds; i++) +- down(&cmd->sem); +- down(&cmd->pages_sem); ++ for (i = 0; i < cmd->vars.max_reg_cmds; i++) ++ down(&cmd->vars.sem); ++ down(&cmd->vars.pages_sem); + + cmd->mode = mode; + +- up(&cmd->pages_sem); +- for (i = 0; i < cmd->max_reg_cmds; i++) +- up(&cmd->sem); ++ up(&cmd->vars.pages_sem); ++ for (i = 0; i < cmd->vars.max_reg_cmds; i++) ++ up(&cmd->vars.sem); + } + + static int cmd_comp_notifier(struct notifier_block *nb, +@@ -1652,7 +1652,7 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force + + /* there can be at most 32 command queues */ + vector = vec & 0xffffffff; +- for (i = 0; i < (1 << cmd->log_sz); i++) { ++ for (i = 0; i < (1 << cmd->vars.log_sz); i++) { + if (test_bit(i, &vector)) { + ent = cmd->ent_arr[i]; + +@@ -1741,7 +1741,7 @@ static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev) + /* wait for pending handlers to complete */ + mlx5_eq_synchronize_cmd_irq(dev); + spin_lock_irqsave(&dev->cmd.alloc_lock, flags); +- vector = ~dev->cmd.bitmask & ((1ul << (1 << dev->cmd.log_sz)) - 1); ++ vector = ~dev->cmd.vars.bitmask & ((1ul << (1 << dev->cmd.vars.log_sz)) - 1); + if (!vector) + goto no_trig; + +@@ -1750,14 +1750,14 @@ static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev) + * to guarantee pending commands will not get freed in the meanwhile. + * For that reason, it also has to be done inside the alloc_lock. + */ +- for_each_set_bit(i, &bitmask, (1 << cmd->log_sz)) ++ for_each_set_bit(i, &bitmask, (1 << cmd->vars.log_sz)) + cmd_ent_get(cmd->ent_arr[i]); + vector |= MLX5_TRIGGERED_CMD_COMP; + spin_unlock_irqrestore(&dev->cmd.alloc_lock, flags); + + mlx5_core_dbg(dev, "vector 0x%llx\n", vector); + mlx5_cmd_comp_handler(dev, vector, true); +- for_each_set_bit(i, &bitmask, (1 << cmd->log_sz)) ++ for_each_set_bit(i, &bitmask, (1 << cmd->vars.log_sz)) + cmd_ent_put(cmd->ent_arr[i]); + return; + +@@ -1770,22 +1770,22 @@ void mlx5_cmd_flush(struct mlx5_core_dev *dev) + struct mlx5_cmd *cmd = &dev->cmd; + int i; + +- for (i = 0; i < cmd->max_reg_cmds; i++) { +- while (down_trylock(&cmd->sem)) { ++ for (i = 0; i < cmd->vars.max_reg_cmds; i++) { ++ while (down_trylock(&cmd->vars.sem)) { + mlx5_cmd_trigger_completions(dev); + cond_resched(); + } + } + +- while (down_trylock(&cmd->pages_sem)) { ++ while (down_trylock(&cmd->vars.pages_sem)) { + mlx5_cmd_trigger_completions(dev); + cond_resched(); + } + + /* Unlock cmdif */ +- up(&cmd->pages_sem); +- for (i = 0; i < cmd->max_reg_cmds; i++) +- up(&cmd->sem); ++ up(&cmd->vars.pages_sem); ++ for (i = 0; i < cmd->vars.max_reg_cmds; i++) ++ up(&cmd->vars.sem); + } + + static struct mlx5_cmd_msg *alloc_msg(struct mlx5_core_dev *dev, int in_size, +@@ -1855,7 +1855,7 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out, + /* atomic context may not sleep */ + if (callback) + return -EINVAL; +- down(&dev->cmd.throttle_sem); ++ down(&dev->cmd.vars.throttle_sem); + } + + pages_queue = is_manage_pages(in); +@@ -1900,7 +1900,7 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out, + free_msg(dev, inb); + out_up: + if (throttle_op) +- up(&dev->cmd.throttle_sem); ++ up(&dev->cmd.vars.throttle_sem); + return err; + } + +@@ -2210,16 +2210,16 @@ int mlx5_cmd_init(struct mlx5_core_dev *dev) + goto err_free_pool; + + cmd_l = ioread32be(&dev->iseg->cmdq_addr_l_sz) & 0xff; +- cmd->log_sz = cmd_l >> 4 & 0xf; +- cmd->log_stride = cmd_l & 0xf; +- if (1 << cmd->log_sz > MLX5_MAX_COMMANDS) { ++ cmd->vars.log_sz = cmd_l >> 4 & 0xf; ++ cmd->vars.log_stride = cmd_l & 0xf; ++ if (1 << cmd->vars.log_sz > MLX5_MAX_COMMANDS) { + mlx5_core_err(dev, "firmware reports too many outstanding commands %d\n", +- 1 << cmd->log_sz); ++ 1 << cmd->vars.log_sz); + err = -EINVAL; + goto err_free_page; + } + +- if (cmd->log_sz + cmd->log_stride > MLX5_ADAPTER_PAGE_SHIFT) { ++ if (cmd->vars.log_sz + cmd->vars.log_stride > MLX5_ADAPTER_PAGE_SHIFT) { + mlx5_core_err(dev, "command queue size overflow\n"); + err = -EINVAL; + goto err_free_page; +@@ -2227,13 +2227,13 @@ int mlx5_cmd_init(struct mlx5_core_dev *dev) + + cmd->state = MLX5_CMDIF_STATE_DOWN; + cmd->checksum_disabled = 1; +- cmd->max_reg_cmds = (1 << cmd->log_sz) - 1; +- cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1; ++ cmd->vars.max_reg_cmds = (1 << cmd->vars.log_sz) - 1; ++ cmd->vars.bitmask = (1UL << cmd->vars.max_reg_cmds) - 1; + +- cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16; +- if (cmd->cmdif_rev > CMD_IF_REV) { ++ cmd->vars.cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16; ++ if (cmd->vars.cmdif_rev > CMD_IF_REV) { + mlx5_core_err(dev, "driver does not support command interface version. driver %d, firmware %d\n", +- CMD_IF_REV, cmd->cmdif_rev); ++ CMD_IF_REV, cmd->vars.cmdif_rev); + err = -EOPNOTSUPP; + goto err_free_page; + } +@@ -2243,9 +2243,9 @@ int mlx5_cmd_init(struct mlx5_core_dev *dev) + for (i = 0; i < MLX5_CMD_OP_MAX; i++) + spin_lock_init(&cmd->stats[i].lock); + +- sema_init(&cmd->sem, cmd->max_reg_cmds); +- sema_init(&cmd->pages_sem, 1); +- sema_init(&cmd->throttle_sem, DIV_ROUND_UP(cmd->max_reg_cmds, 2)); ++ sema_init(&cmd->vars.sem, cmd->vars.max_reg_cmds); ++ sema_init(&cmd->vars.pages_sem, 1); ++ sema_init(&cmd->vars.throttle_sem, DIV_ROUND_UP(cmd->vars.max_reg_cmds, 2)); + + cmd_h = (u32)((u64)(cmd->dma) >> 32); + cmd_l = (u32)(cmd->dma); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c +index bb95b40d25eb5..e0b0729e238c1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c +@@ -176,8 +176,8 @@ static ssize_t slots_read(struct file *filp, char __user *buf, size_t count, + int ret; + + cmd = filp->private_data; +- weight = bitmap_weight(&cmd->bitmask, cmd->max_reg_cmds); +- field = cmd->max_reg_cmds - weight; ++ weight = bitmap_weight(&cmd->vars.bitmask, cmd->vars.max_reg_cmds); ++ field = cmd->vars.max_reg_cmds - weight; + ret = snprintf(tbuf, sizeof(tbuf), "%d\n", field); + return simple_read_from_buffer(buf, count, pos, tbuf, ret); + } +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index ce019c337f67f..93ec34a94b724 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -282,18 +282,23 @@ struct mlx5_cmd_stats { + struct mlx5_cmd { + struct mlx5_nb nb; + ++ /* members which needs to be queried or reinitialized each reload */ ++ struct { ++ u16 cmdif_rev; ++ u8 log_sz; ++ u8 log_stride; ++ int max_reg_cmds; ++ unsigned long bitmask; ++ struct semaphore sem; ++ struct semaphore pages_sem; ++ struct semaphore throttle_sem; ++ } vars; + enum mlx5_cmdif_state state; + void *cmd_alloc_buf; + dma_addr_t alloc_dma; + int alloc_size; + void *cmd_buf; + dma_addr_t dma; +- u16 cmdif_rev; +- u8 log_sz; +- u8 log_stride; +- int max_reg_cmds; +- int events; +- u32 __iomem *vector; + + /* protect command queue allocations + */ +@@ -303,12 +308,8 @@ struct mlx5_cmd { + */ + spinlock_t token_lock; + u8 token; +- unsigned long bitmask; + char wq_name[MLX5_CMD_WQ_MAX_NAME]; + struct workqueue_struct *wq; +- struct semaphore sem; +- struct semaphore pages_sem; +- struct semaphore throttle_sem; + int mode; + u16 allowed_opcode; + struct mlx5_cmd_work_ent *ent_arr[MLX5_MAX_COMMANDS]; +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch b/queue-6.1/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch new file mode 100644 index 00000000000..24757b16b37 --- /dev/null +++ b/queue-6.1/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch @@ -0,0 +1,42 @@ +From 0cb9b7db6ec63a8876d9ff6840827cf88981b910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 15:00:21 -0800 +Subject: net/mlx5e: Correct snprintf truncation handling for fw_version buffer + +From: Rahul Rameshbabu + +[ Upstream commit ad436b9c1270c40554e274f067f1b78fcc06a004 ] + +snprintf returns the length of the formatted string, excluding the trailing +null, without accounting for truncation. This means that is the return +value is greater than or equal to the size parameter, the fw_version string +was truncated. + +Reported-by: David Laight +Closes: https://lore.kernel.org/netdev/81cae734ee1b4cde9b380a9a31006c1a@AcuMS.aculab.com/ +Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf +Fixes: 41e63c2baa11 ("net/mlx5e: Check return value of snprintf writing to fw_version buffer") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Simon Horman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index eeba91d9c5211..ceeb23f478e15 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -49,7 +49,7 @@ void mlx5e_ethtool_get_drvinfo(struct mlx5e_priv *priv, + count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d (%.16s)", fw_rev_maj(mdev), + fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id); +- if (count == sizeof(drvinfo->fw_version)) ++ if (count >= sizeof(drvinfo->fw_version)) + snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d", fw_rev_maj(mdev), + fw_rev_min(mdev), fw_rev_sub(mdev)); +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch-17801 b/queue-6.1/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch-17801 new file mode 100644 index 00000000000..58dcc75268e --- /dev/null +++ b/queue-6.1/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch-17801 @@ -0,0 +1,41 @@ +From 035b759314b101cb25e0fe11411bc74cb54b59ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 15:00:22 -0800 +Subject: net/mlx5e: Correct snprintf truncation handling for fw_version buffer + used by representors + +From: Rahul Rameshbabu + +[ Upstream commit b13559b76157de9d74f04d3ca0e49d69de3b5675 ] + +snprintf returns the length of the formatted string, excluding the trailing +null, without accounting for truncation. This means that is the return +value is greater than or equal to the size parameter, the fw_version string +was truncated. + +Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf +Fixes: 1b2bd0c0264f ("net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Simon Horman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 2653cb96c3105..5aeca9534f15a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -76,7 +76,7 @@ static void mlx5e_rep_get_drvinfo(struct net_device *dev, + count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d (%.16s)", fw_rev_maj(mdev), + fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id); +- if (count == sizeof(drvinfo->fw_version)) ++ if (count >= sizeof(drvinfo->fw_version)) + snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d", fw_rev_maj(mdev), + fw_rev_min(mdev), fw_rev_sub(mdev)); +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5e-fix-a-potential-double-free-in-fs_udp_crea.patch b/queue-6.1/net-mlx5e-fix-a-potential-double-free-in-fs_udp_crea.patch new file mode 100644 index 00000000000..c10f4c54080 --- /dev/null +++ b/queue-6.1/net-mlx5e-fix-a-potential-double-free-in-fs_udp_crea.patch @@ -0,0 +1,40 @@ +From a163131bada996e1331ec0989d538cd1e3e87fbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 17:40:53 +0800 +Subject: net/mlx5e: fix a potential double-free in fs_udp_create_groups + +From: Dinghao Liu + +[ Upstream commit e75efc6466ae289e599fb12a5a86545dff245c65 ] + +When kcalloc() for ft->g succeeds but kvzalloc() for in fails, +fs_udp_create_groups() will free ft->g. However, its caller +fs_udp_create_table() will free ft->g again through calling +mlx5e_destroy_flow_table(), which will lead to a double-free. +Fix this by setting ft->g to NULL in fs_udp_create_groups(). + +Fixes: 1c80bd684388 ("net/mlx5e: Introduce Flow Steering UDP API") +Signed-off-by: Dinghao Liu +Reviewed-by: Tariq Toukan +Reviewed-by: Simon Horman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c +index be83ad9db82a4..e1283531e0b81 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c +@@ -154,6 +154,7 @@ static int fs_udp_create_groups(struct mlx5e_flow_table *ft, enum fs_udp_type ty + in = kvzalloc(inlen, GFP_KERNEL); + if (!in || !ft->g) { + kfree(ft->g); ++ ft->g = NULL; + kvfree(in); + return -ENOMEM; + } +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5e-fix-a-race-in-command-alloc-flow.patch b/queue-6.1/net-mlx5e-fix-a-race-in-command-alloc-flow.patch new file mode 100644 index 00000000000..4434b9af828 --- /dev/null +++ b/queue-6.1/net-mlx5e-fix-a-race-in-command-alloc-flow.patch @@ -0,0 +1,126 @@ +From 14ebb4aefc49774d05508c5dc1df1de47f17d276 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Dec 2023 00:01:26 -0800 +Subject: net/mlx5e: Fix a race in command alloc flow + +From: Shifeng Li + +[ Upstream commit 8f5100da56b3980276234e812ce98d8f075194cd ] + +Fix a cmd->ent use after free due to a race on command entry. +Such race occurs when one of the commands releases its last refcount and +frees its index and entry while another process running command flush +flow takes refcount to this command entry. The process which handles +commands flush may see this command as needed to be flushed if the other +process allocated a ent->idx but didn't set ent to cmd->ent_arr in +cmd_work_handler(). Fix it by moving the assignment of cmd->ent_arr into +the spin lock. + +[70013.081955] BUG: KASAN: use-after-free in mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core] +[70013.081967] Write of size 4 at addr ffff88880b1510b4 by task kworker/26:1/1433361 +[70013.081968] +[70013.082028] Workqueue: events aer_isr +[70013.082053] Call Trace: +[70013.082067] dump_stack+0x8b/0xbb +[70013.082086] print_address_description+0x6a/0x270 +[70013.082102] kasan_report+0x179/0x2c0 +[70013.082173] mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core] +[70013.082267] mlx5_cmd_flush+0x80/0x180 [mlx5_core] +[70013.082304] mlx5_enter_error_state+0x106/0x1d0 [mlx5_core] +[70013.082338] mlx5_try_fast_unload+0x2ea/0x4d0 [mlx5_core] +[70013.082377] remove_one+0x200/0x2b0 [mlx5_core] +[70013.082409] pci_device_remove+0xf3/0x280 +[70013.082439] device_release_driver_internal+0x1c3/0x470 +[70013.082453] pci_stop_bus_device+0x109/0x160 +[70013.082468] pci_stop_and_remove_bus_device+0xe/0x20 +[70013.082485] pcie_do_fatal_recovery+0x167/0x550 +[70013.082493] aer_isr+0x7d2/0x960 +[70013.082543] process_one_work+0x65f/0x12d0 +[70013.082556] worker_thread+0x87/0xb50 +[70013.082571] kthread+0x2e9/0x3a0 +[70013.082592] ret_from_fork+0x1f/0x40 + +The logical relationship of this error is as follows: + + aer_recover_work | ent->work +-------------------------------------------+------------------------------ +aer_recover_work_func | +|- pcie_do_recovery | + |- report_error_detected | + |- mlx5_pci_err_detected |cmd_work_handler + |- mlx5_enter_error_state | |- cmd_alloc_index + |- enter_error_state | |- lock cmd->alloc_lock + |- mlx5_cmd_flush | |- clear_bit + |- mlx5_cmd_trigger_completions| |- unlock cmd->alloc_lock + |- lock cmd->alloc_lock | + |- vector = ~dev->cmd.vars.bitmask + |- for_each_set_bit | + |- cmd_ent_get(cmd->ent_arr[i]) (UAF) + |- unlock cmd->alloc_lock | |- cmd->ent_arr[ent->idx]=ent + +The cmd->ent_arr[ent->idx] assignment and the bit clearing are not +protected by the cmd->alloc_lock in cmd_work_handler(). + +Fixes: 50b2412b7e78 ("net/mlx5: Avoid possible free of command entry while timeout comp handler") +Reviewed-by: Moshe Shemesh +Signed-off-by: Shifeng Li +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index e89d4fb7774bb..ac6a0785b10d8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -156,15 +156,18 @@ static u8 alloc_token(struct mlx5_cmd *cmd) + return token; + } + +-static int cmd_alloc_index(struct mlx5_cmd *cmd) ++static int cmd_alloc_index(struct mlx5_cmd *cmd, struct mlx5_cmd_work_ent *ent) + { + unsigned long flags; + int ret; + + spin_lock_irqsave(&cmd->alloc_lock, flags); + ret = find_first_bit(&cmd->vars.bitmask, cmd->vars.max_reg_cmds); +- if (ret < cmd->vars.max_reg_cmds) ++ if (ret < cmd->vars.max_reg_cmds) { + clear_bit(ret, &cmd->vars.bitmask); ++ ent->idx = ret; ++ cmd->ent_arr[ent->idx] = ent; ++ } + spin_unlock_irqrestore(&cmd->alloc_lock, flags); + + return ret < cmd->vars.max_reg_cmds ? ret : -ENOMEM; +@@ -974,7 +977,7 @@ static void cmd_work_handler(struct work_struct *work) + sem = ent->page_queue ? &cmd->vars.pages_sem : &cmd->vars.sem; + down(sem); + if (!ent->page_queue) { +- alloc_ret = cmd_alloc_index(cmd); ++ alloc_ret = cmd_alloc_index(cmd, ent); + if (alloc_ret < 0) { + mlx5_core_err_rl(dev, "failed to allocate command entry\n"); + if (ent->callback) { +@@ -989,15 +992,14 @@ static void cmd_work_handler(struct work_struct *work) + up(sem); + return; + } +- ent->idx = alloc_ret; + } else { + ent->idx = cmd->vars.max_reg_cmds; + spin_lock_irqsave(&cmd->alloc_lock, flags); + clear_bit(ent->idx, &cmd->vars.bitmask); ++ cmd->ent_arr[ent->idx] = ent; + spin_unlock_irqrestore(&cmd->alloc_lock, flags); + } + +- cmd->ent_arr[ent->idx] = ent; + lay = get_inst(cmd, ent->idx); + ent->lay = lay; + memset(lay, 0, sizeof(*lay)); +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch b/queue-6.1/net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch new file mode 100644 index 00000000000..659bc4284c0 --- /dev/null +++ b/queue-6.1/net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch @@ -0,0 +1,58 @@ +From 771fac0449d12ae93ed2c4b2ad66aea253073d32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 01:46:56 -0800 +Subject: net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() + +From: Shifeng Li + +[ Upstream commit ddb38ddff9c71026bad481b791a94d446ee37603 ] + +Out_sz that the size of out buffer is calculated using query_nic_vport +_context_in structure when driver query the MAC list. However query_nic +_vport_context_in structure is smaller than query_nic_vport_context_out. +When allowed_list_size is greater than 96, calling ether_addr_copy() will +trigger an slab-out-of-bounds. + +[ 1170.055866] BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core] +[ 1170.055869] Read of size 4 at addr ffff88bdbc57d912 by task kworker/u128:1/461 +[ 1170.055870] +[ 1170.055932] Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core] +[ 1170.055936] Call Trace: +[ 1170.055949] dump_stack+0x8b/0xbb +[ 1170.055958] print_address_description+0x6a/0x270 +[ 1170.055961] kasan_report+0x179/0x2c0 +[ 1170.056061] mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core] +[ 1170.056162] esw_update_vport_addr_list+0x2c5/0xcd0 [mlx5_core] +[ 1170.056257] esw_vport_change_handle_locked+0xd08/0x1a20 [mlx5_core] +[ 1170.056377] esw_vport_change_handler+0x6b/0x90 [mlx5_core] +[ 1170.056381] process_one_work+0x65f/0x12d0 +[ 1170.056383] worker_thread+0x87/0xb50 +[ 1170.056390] kthread+0x2e9/0x3a0 +[ 1170.056394] ret_from_fork+0x1f/0x40 + +Fixes: e16aea2744ab ("net/mlx5: Introduce access functions to modify/query vport mac lists") +Cc: Ding Hui +Signed-off-by: Shifeng Li +Reviewed-by: Simon Horman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/vport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c +index d5c3173250309..3f68e3198aa64 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c +@@ -277,7 +277,7 @@ int mlx5_query_nic_vport_mac_list(struct mlx5_core_dev *dev, + req_list_size = max_list_size; + } + +- out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_in) + ++ out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_out) + + req_list_size * MLX5_ST_SZ_BYTES(mac_address_layout); + + out = kvzalloc(out_sz, GFP_KERNEL); +-- +2.43.0 + diff --git a/queue-6.1/net-mscc-ocelot-fix-emac-tx-rmon-stats-for-bucket-25.patch b/queue-6.1/net-mscc-ocelot-fix-emac-tx-rmon-stats-for-bucket-25.patch new file mode 100644 index 00000000000..6d2f4ddb2f3 --- /dev/null +++ b/queue-6.1/net-mscc-ocelot-fix-emac-tx-rmon-stats-for-bucket-25.patch @@ -0,0 +1,49 @@ +From 9098134c886607b2d5660f07ed5e5849024b72b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 02:09:01 +0200 +Subject: net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and + above + +From: Vladimir Oltean + +[ Upstream commit 52eda4641d041667fa059f4855c5f88dcebd8afe ] + +There is a typo in the driver due to which we report incorrect TX RMON +counters for the 256-511 octet bucket and all the other buckets larger +than that. + +Bug found with the selftest at +https://patchwork.kernel.org/project/netdevbpf/patch/20231211223346.2497157-9-tobias@waldekranz.com/ + +Fixes: e32036e1ae7b ("net: mscc: ocelot: add support for all sorts of standardized counters present in DSA") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20231214000902.545625-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_stats.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_stats.c b/drivers/net/ethernet/mscc/ocelot_stats.c +index 0066219bb0e89..6b95262dad904 100644 +--- a/drivers/net/ethernet/mscc/ocelot_stats.c ++++ b/drivers/net/ethernet/mscc/ocelot_stats.c +@@ -216,10 +216,10 @@ static void ocelot_port_rmon_stats_cb(struct ocelot *ocelot, int port, void *pri + rmon_stats->hist_tx[0] = s[OCELOT_STAT_TX_64]; + rmon_stats->hist_tx[1] = s[OCELOT_STAT_TX_65_127]; + rmon_stats->hist_tx[2] = s[OCELOT_STAT_TX_128_255]; +- rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_128_255]; +- rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_256_511]; +- rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_512_1023]; +- rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_1024_1526]; ++ rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_256_511]; ++ rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_512_1023]; ++ rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_1024_1526]; ++ rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_1527_MAX]; + } + + void ocelot_port_get_rmon_stats(struct ocelot *ocelot, int port, +-- +2.43.0 + diff --git a/queue-6.1/net-return-error-from-sk_stream_wait_connect-if-sk_w.patch b/queue-6.1/net-return-error-from-sk_stream_wait_connect-if-sk_w.patch new file mode 100644 index 00000000000..07d94149ac3 --- /dev/null +++ b/queue-6.1/net-return-error-from-sk_stream_wait_connect-if-sk_w.patch @@ -0,0 +1,74 @@ +From c949678dfd745d62e2a9442d6b05a4549b8b50e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 14:09:22 +0900 +Subject: net: Return error from sk_stream_wait_connect() if sk_wait_event() + fails + +From: Shigeru Yoshida + +[ Upstream commit cac23b7d7627915d967ce25436d7aae26e88ed06 ] + +The following NULL pointer dereference issue occurred: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +<...> +RIP: 0010:ccid_hc_tx_send_packet net/dccp/ccid.h:166 [inline] +RIP: 0010:dccp_write_xmit+0x49/0x140 net/dccp/output.c:356 +<...> +Call Trace: + + dccp_sendmsg+0x642/0x7e0 net/dccp/proto.c:801 + inet_sendmsg+0x63/0x90 net/ipv4/af_inet.c:846 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x83/0xe0 net/socket.c:745 + ____sys_sendmsg+0x443/0x510 net/socket.c:2558 + ___sys_sendmsg+0xe5/0x150 net/socket.c:2612 + __sys_sendmsg+0xa6/0x120 net/socket.c:2641 + __do_sys_sendmsg net/socket.c:2650 [inline] + __se_sys_sendmsg net/socket.c:2648 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2648 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x43/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +sk_wait_event() returns an error (-EPIPE) if disconnect() is called on the +socket waiting for the event. However, sk_stream_wait_connect() returns +success, i.e. zero, even if sk_wait_event() returns -EPIPE, so a function +that waits for a connection with sk_stream_wait_connect() may misbehave. + +In the case of the above DCCP issue, dccp_sendmsg() is waiting for the +connection. If disconnect() is called in concurrently, the above issue +occurs. + +This patch fixes the issue by returning error from sk_stream_wait_connect() +if sk_wait_event() fails. + +Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting") +Signed-off-by: Shigeru Yoshida +Reviewed-by: Kuniyuki Iwashima +Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com +Reviewed-by: Eric Dumazet +Reported-by: syzbot +Reported-by: syzkaller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/stream.c b/net/core/stream.c +index 051aa71a8ad0f..30e7deff4c551 100644 +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -79,7 +79,7 @@ int sk_stream_wait_connect(struct sock *sk, long *timeo_p) + remove_wait_queue(sk_sleep(sk), &wait); + sk->sk_write_pending--; + } while (!done); +- return 0; ++ return done < 0 ? done : 0; + } + EXPORT_SYMBOL(sk_stream_wait_connect); + +-- +2.43.0 + diff --git a/queue-6.1/net-rose-fix-races-in-rose_kill_by_device.patch b/queue-6.1/net-rose-fix-races-in-rose_kill_by_device.patch new file mode 100644 index 00000000000..6eb05346a22 --- /dev/null +++ b/queue-6.1/net-rose-fix-races-in-rose_kill_by_device.patch @@ -0,0 +1,177 @@ +From a10826494b4bcf12f6b5507e7a7d45aeab16fc16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 15:27:47 +0000 +Subject: net/rose: fix races in rose_kill_by_device() + +From: Eric Dumazet + +[ Upstream commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be ] + +syzbot found an interesting netdev refcounting issue in +net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1] + +Problem is that rose_kill_by_device() can change rose->device +while other threads do not expect the pointer to be changed. + +We have to first collect sockets in a temporary array, +then perform the changes while holding the socket +lock and rose_list_lock spinlock (in this order) + +Change rose_release() to also acquire rose_list_lock +before releasing the netdev refcount. + +[1] + +[ 1185.055088][ T7889] ref_tracker: reference already released. +[ 1185.061476][ T7889] ref_tracker: allocated in: +[ 1185.066081][ T7889] rose_bind+0x4ab/0xd10 +[ 1185.070446][ T7889] __sys_bind+0x1ec/0x220 +[ 1185.074818][ T7889] __x64_sys_bind+0x72/0xb0 +[ 1185.079356][ T7889] do_syscall_64+0x40/0x110 +[ 1185.083897][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b +[ 1185.089835][ T7889] ref_tracker: freed in: +[ 1185.094088][ T7889] rose_release+0x2f5/0x570 +[ 1185.098629][ T7889] __sock_release+0xae/0x260 +[ 1185.103262][ T7889] sock_close+0x1c/0x20 +[ 1185.107453][ T7889] __fput+0x270/0xbb0 +[ 1185.111467][ T7889] task_work_run+0x14d/0x240 +[ 1185.116085][ T7889] get_signal+0x106f/0x2790 +[ 1185.120622][ T7889] arch_do_signal_or_restart+0x90/0x7f0 +[ 1185.126205][ T7889] exit_to_user_mode_prepare+0x121/0x240 +[ 1185.131846][ T7889] syscall_exit_to_user_mode+0x1e/0x60 +[ 1185.137293][ T7889] do_syscall_64+0x4d/0x110 +[ 1185.141783][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b +[ 1185.148085][ T7889] ------------[ cut here ]------------ + +WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255 +Modules linked in: +CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78917e #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255 +Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44 +RSP: 0018:ffffc90004917850 EFLAGS: 00010202 +RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000 +RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001 +RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6 +R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c +R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff +FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +netdev_tracker_free include/linux/netdevice.h:4127 [inline] +netdev_put include/linux/netdevice.h:4144 [inline] +netdev_put include/linux/netdevice.h:4140 [inline] +rose_kill_by_device net/rose/af_rose.c:195 [inline] +rose_device_event+0x25d/0x330 net/rose/af_rose.c:218 +notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93 +call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967 +call_netdevice_notifiers_extack net/core/dev.c:2005 [inline] +call_netdevice_notifiers net/core/dev.c:2019 [inline] +__dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646 +dev_change_flags+0x122/0x170 net/core/dev.c:8682 +dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529 +dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786 +sock_do_ioctl+0x198/0x270 net/socket.c:1234 +sock_ioctl+0x22e/0x6b0 net/socket.c:1339 +vfs_ioctl fs/ioctl.c:51 [inline] +__do_sys_ioctl fs/ioctl.c:871 [inline] +__se_sys_ioctl fs/ioctl.c:857 [inline] +__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7f0a7147cba9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9 +RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004 +RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8 + + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Bernard Pidoux +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 39 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 34 insertions(+), 5 deletions(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 674937284b8d2..29b74a569e0b0 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -182,21 +182,47 @@ void rose_kill_by_neigh(struct rose_neigh *neigh) + */ + static void rose_kill_by_device(struct net_device *dev) + { +- struct sock *s; ++ struct sock *sk, *array[16]; ++ struct rose_sock *rose; ++ bool rescan; ++ int i, cnt; + ++start: ++ rescan = false; ++ cnt = 0; + spin_lock_bh(&rose_list_lock); +- sk_for_each(s, &rose_list) { +- struct rose_sock *rose = rose_sk(s); ++ sk_for_each(sk, &rose_list) { ++ rose = rose_sk(sk); ++ if (rose->device == dev) { ++ if (cnt == ARRAY_SIZE(array)) { ++ rescan = true; ++ break; ++ } ++ sock_hold(sk); ++ array[cnt++] = sk; ++ } ++ } ++ spin_unlock_bh(&rose_list_lock); + ++ for (i = 0; i < cnt; i++) { ++ sk = array[cnt]; ++ rose = rose_sk(sk); ++ lock_sock(sk); ++ spin_lock_bh(&rose_list_lock); + if (rose->device == dev) { +- rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0); ++ rose_disconnect(sk, ENETUNREACH, ROSE_OUT_OF_ORDER, 0); + if (rose->neighbour) + rose->neighbour->use--; + netdev_put(rose->device, &rose->dev_tracker); + rose->device = NULL; + } ++ spin_unlock_bh(&rose_list_lock); ++ release_sock(sk); ++ sock_put(sk); ++ cond_resched(); + } +- spin_unlock_bh(&rose_list_lock); ++ if (rescan) ++ goto start; + } + + /* +@@ -656,7 +682,10 @@ static int rose_release(struct socket *sock) + break; + } + ++ spin_lock_bh(&rose_list_lock); + netdev_put(rose->device, &rose->dev_tracker); ++ rose->device = NULL; ++ spin_unlock_bh(&rose_list_lock); + sock->sk = NULL; + release_sock(sk); + sock_put(sk); +-- +2.43.0 + diff --git a/queue-6.1/net-sched-ife-fix-potential-use-after-free.patch b/queue-6.1/net-sched-ife-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..9ee04ed4028 --- /dev/null +++ b/queue-6.1/net-sched-ife-fix-potential-use-after-free.patch @@ -0,0 +1,238 @@ +From dd65252c3bb286c6537db87b20cbad97b5ec1344 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 11:30:38 +0000 +Subject: net: sched: ife: fix potential use-after-free + +From: Eric Dumazet + +[ Upstream commit 19391a2ca98baa7b80279306cdf7dd43f81fa595 ] + +ife_decode() calls pskb_may_pull() two times, we need to reload +ifehdr after the second one, or risk use-after-free as reported +by syzbot: + +BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline] +BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131 +Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323 + +CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d5b95 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 +print_address_description mm/kasan/report.c:364 [inline] +print_report+0xc4/0x620 mm/kasan/report.c:475 +kasan_report+0xda/0x110 mm/kasan/report.c:588 +__ife_tlv_meta_valid net/ife/ife.c:108 [inline] +ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131 +tcf_ife_decode net/sched/act_ife.c:739 [inline] +tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879 +tc_act include/net/tc_wrapper.h:221 [inline] +tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079 +tcf_exts_exec include/net/pkt_cls.h:344 [inline] +mall_classify+0x201/0x310 net/sched/cls_matchall.c:42 +tc_classify include/net/tc_wrapper.h:227 [inline] +__tcf_classify net/sched/cls_api.c:1703 [inline] +tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800 +hfsc_classify net/sched/sch_hfsc.c:1147 [inline] +hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546 +dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739 +__dev_xmit_skb net/core/dev.c:3828 [inline] +__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311 +dev_queue_xmit include/linux/netdevice.h:3165 [inline] +packet_xmit+0x237/0x350 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3081 [inline] +packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7fe9acc7cae9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9 +RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014 +R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78 + + +Allocated by task 22323: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +____kasan_kmalloc mm/kasan/common.c:374 [inline] +__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 +kasan_kmalloc include/linux/kasan.h:198 [inline] +__do_kmalloc_node mm/slab_common.c:1007 [inline] +__kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027 +kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582 +__alloc_skb+0x12b/0x330 net/core/skbuff.c:651 +alloc_skb include/linux/skbuff.h:1298 [inline] +alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 +sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 +packet_alloc_skb net/packet/af_packet.c:2930 [inline] +packet_snd net/packet/af_packet.c:3024 [inline] +packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Freed by task 22323: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 +____kasan_slab_free mm/kasan/common.c:236 [inline] +____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200 +kasan_slab_free include/linux/kasan.h:164 [inline] +slab_free_hook mm/slub.c:1800 [inline] +slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826 +slab_free mm/slub.c:3809 [inline] +__kmem_cache_free+0xc0/0x180 mm/slub.c:3822 +skb_kfree_head net/core/skbuff.c:950 [inline] +skb_free_head+0x110/0x1b0 net/core/skbuff.c:962 +pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130 +__pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655 +pskb_may_pull_reason include/linux/skbuff.h:2685 [inline] +pskb_may_pull include/linux/skbuff.h:2693 [inline] +ife_decode+0x394/0x4f0 net/ife/ife.c:82 +tcf_ife_decode net/sched/act_ife.c:727 [inline] +tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879 +tc_act include/net/tc_wrapper.h:221 [inline] +tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079 +tcf_exts_exec include/net/pkt_cls.h:344 [inline] +mall_classify+0x201/0x310 net/sched/cls_matchall.c:42 +tc_classify include/net/tc_wrapper.h:227 [inline] +__tcf_classify net/sched/cls_api.c:1703 [inline] +tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800 +hfsc_classify net/sched/sch_hfsc.c:1147 [inline] +hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546 +dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739 +__dev_xmit_skb net/core/dev.c:3828 [inline] +__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311 +dev_queue_xmit include/linux/netdevice.h:3165 [inline] +packet_xmit+0x237/0x350 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3081 [inline] +packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +The buggy address belongs to the object at ffff88802d730000 +which belongs to the cache kmalloc-8k of size 8192 +The buggy address is located 164 bytes inside of +freed 8192-byte region [ffff88802d730000, ffff88802d732000) + +The buggy address belongs to the physical page: +page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730 +head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) +page_type: 0xffffffff() +raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000 +raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461 +set_page_owner include/linux/page_owner.h:31 [inline] +post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544 +prep_new_page mm/page_alloc.c:1551 [inline] +get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319 +__alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575 +alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 +alloc_slab_page mm/slub.c:1870 [inline] +allocate_slab mm/slub.c:2017 [inline] +new_slab+0x283/0x3c0 mm/slub.c:2070 +___slab_alloc+0x979/0x1500 mm/slub.c:3223 +__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322 +__slab_alloc_node mm/slub.c:3375 [inline] +slab_alloc_node mm/slub.c:3468 [inline] +__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517 +__do_kmalloc_node mm/slab_common.c:1006 [inline] +__kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027 +kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582 +__alloc_skb+0x12b/0x330 net/core/skbuff.c:651 +alloc_skb include/linux/skbuff.h:1298 [inline] +alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 +sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 +packet_alloc_skb net/packet/af_packet.c:2930 [inline] +packet_snd net/packet/af_packet.c:3024 [inline] +packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +page last free stack trace: +reset_page_owner include/linux/page_owner.h:24 [inline] +free_pages_prepare mm/page_alloc.c:1144 [inline] +free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354 +free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494 +__unfreeze_partials+0x226/0x240 mm/slub.c:2655 +qlink_free mm/kasan/quarantine.c:168 [inline] +qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 +kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294 +__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305 +kasan_slab_alloc include/linux/kasan.h:188 [inline] +slab_post_alloc_hook mm/slab.h:763 [inline] +slab_alloc_node mm/slub.c:3478 [inline] +slab_alloc mm/slub.c:3486 [inline] +__kmem_cache_alloc_lru mm/slub.c:3493 [inline] +kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509 +alloc_inode_sb include/linux/fs.h:2937 [inline] +ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408 +alloc_inode+0x5d/0x220 fs/inode.c:261 +new_inode_pseudo fs/inode.c:1006 [inline] +new_inode+0x22/0x260 fs/inode.c:1032 +__ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958 +ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398 +vfs_symlink fs/namei.c:4464 [inline] +vfs_symlink+0x3e5/0x620 fs/namei.c:4448 +do_symlinkat+0x25f/0x310 fs/namei.c:4490 +__do_sys_symlinkat fs/namei.c:4506 [inline] +__se_sys_symlinkat fs/namei.c:4503 [inline] +__x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 + +Fixes: d57493d6d1be ("net: sched: ife: check on metadata length") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jamal Hadi Salim +Cc: Alexander Aring +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ife/ife.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ife/ife.c b/net/ife/ife.c +index 13bbf8cb6a396..be05b690b9ef2 100644 +--- a/net/ife/ife.c ++++ b/net/ife/ife.c +@@ -82,6 +82,7 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen) + if (unlikely(!pskb_may_pull(skb, total_pull))) + return NULL; + ++ ifehdr = (struct ifeheadr *)(skb->data + skb->dev->hard_header_len); + skb_set_mac_header(skb, total_pull); + __skb_pull(skb, total_pull); + *metalen = ifehdrln - IFE_METAHDRLEN; +-- +2.43.0 + diff --git a/queue-6.1/octeontx2-pf-fix-graceful-exit-during-pfc-configurat.patch b/queue-6.1/octeontx2-pf-fix-graceful-exit-during-pfc-configurat.patch new file mode 100644 index 00000000000..2b490dea31f --- /dev/null +++ b/queue-6.1/octeontx2-pf-fix-graceful-exit-during-pfc-configurat.patch @@ -0,0 +1,72 @@ +From 2be773b0d48e591a62bf46f7c3cd05672905e632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 23:40:44 +0530 +Subject: octeontx2-pf: Fix graceful exit during PFC configuration failure + +From: Suman Ghosh + +[ Upstream commit 8c97ab5448f2096daba11edf8d18a44e1eb6f31d ] + +During PFC configuration failure the code was not handling a graceful +exit. This patch fixes the same and add proper code for a graceful exit. + +Fixes: 99c969a83d82 ("octeontx2-pf: Add egress PFC support") +Signed-off-by: Suman Ghosh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c +index bfddbff7bcdfb..28fb643d2917f 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c +@@ -399,9 +399,10 @@ static int otx2_dcbnl_ieee_getpfc(struct net_device *dev, struct ieee_pfc *pfc) + static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc) + { + struct otx2_nic *pfvf = netdev_priv(dev); ++ u8 old_pfc_en; + int err; + +- /* Save PFC configuration to interface */ ++ old_pfc_en = pfvf->pfc_en; + pfvf->pfc_en = pfc->pfc_en; + + if (pfvf->hw.tx_queues >= NIX_PF_PFC_PRIO_MAX) +@@ -411,13 +412,17 @@ static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc) + * supported by the tx queue configuration + */ + err = otx2_check_pfc_config(pfvf); +- if (err) ++ if (err) { ++ pfvf->pfc_en = old_pfc_en; + return err; ++ } + + process_pfc: + err = otx2_config_priority_flow_ctrl(pfvf); +- if (err) ++ if (err) { ++ pfvf->pfc_en = old_pfc_en; + return err; ++ } + + /* Request Per channel Bpids */ + if (pfc->pfc_en) +@@ -425,6 +430,12 @@ static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc) + + err = otx2_pfc_txschq_update(pfvf); + if (err) { ++ if (pfc->pfc_en) ++ otx2_nix_config_bp(pfvf, false); ++ ++ otx2_pfc_txschq_stop(pfvf); ++ pfvf->pfc_en = old_pfc_en; ++ otx2_config_priority_flow_ctrl(pfvf); + dev_err(pfvf->dev, "%s failed to update TX schedulers\n", __func__); + return err; + } +-- +2.43.0 + diff --git a/queue-6.1/reset-fix-crash-when-freeing-non-existent-optional-r.patch b/queue-6.1/reset-fix-crash-when-freeing-non-existent-optional-r.patch new file mode 100644 index 00000000000..1f37ae26823 --- /dev/null +++ b/queue-6.1/reset-fix-crash-when-freeing-non-existent-optional-r.patch @@ -0,0 +1,63 @@ +From 99162aeab6be0fb51aba886a9097e63a052edc92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 17:55:33 +0100 +Subject: reset: Fix crash when freeing non-existent optional resets + +From: Geert Uytterhoeven + +[ Upstream commit 4a6756f56bcf8e64c87144a626ce53aea4899c0e ] + +When obtaining one or more optional resets, non-existent resets are +stored as NULL pointers, and all related error and cleanup paths need to +take this into account. + +Currently only reset_control_put() and reset_control_bulk_put() +get this right. All of __reset_control_bulk_get(), +of_reset_control_array_get(), and reset_control_array_put() lack the +proper checking, causing NULL pointer dereferences on failure or +release. + +Fix this by moving the existing check from reset_control_bulk_put() to +__reset_control_put_internal(), so it applies to all callers. +The double check in reset_control_put() doesn't hurt. + +Fixes: 17c82e206d2a3cd8 ("reset: Add APIs to manage array of resets") +Fixes: 48d71395896d54ee ("reset: Add reset_control_bulk API") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/2440edae7ca8534628cdbaf559ded288f2998178.1701276806.git.geert+renesas@glider.be +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/reset/core.c b/drivers/reset/core.c +index f0a076e94118f..92cc13ef3e566 100644 +--- a/drivers/reset/core.c ++++ b/drivers/reset/core.c +@@ -807,6 +807,9 @@ static void __reset_control_put_internal(struct reset_control *rstc) + { + lockdep_assert_held(&reset_list_mutex); + ++ if (IS_ERR_OR_NULL(rstc)) ++ return; ++ + kref_put(&rstc->refcnt, __reset_control_release); + } + +@@ -1017,11 +1020,8 @@ EXPORT_SYMBOL_GPL(reset_control_put); + void reset_control_bulk_put(int num_rstcs, struct reset_control_bulk_data *rstcs) + { + mutex_lock(&reset_list_mutex); +- while (num_rstcs--) { +- if (IS_ERR_OR_NULL(rstcs[num_rstcs].rstc)) +- continue; ++ while (num_rstcs--) + __reset_control_put_internal(rstcs[num_rstcs].rstc); +- } + mutex_unlock(&reset_list_mutex); + } + EXPORT_SYMBOL_GPL(reset_control_bulk_put); +-- +2.43.0 + diff --git a/queue-6.1/revert-net-mlx5e-fix-double-free-of-encap_header-in-.patch b/queue-6.1/revert-net-mlx5e-fix-double-free-of-encap_header-in-.patch new file mode 100644 index 00000000000..2dc27d97cd8 --- /dev/null +++ b/queue-6.1/revert-net-mlx5e-fix-double-free-of-encap_header-in-.patch @@ -0,0 +1,87 @@ +From 65bdac116c25ab5948b2c0870283594cebf172e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 13:51:52 +0100 +Subject: Revert "net/mlx5e: fix double free of encap_header in update funcs" + +From: Vlad Buslov + +[ Upstream commit 66ca8d4deca09bce3fc7bcf8ea7997fa1a51c33c ] + +This reverts commit 3a4aa3cb83563df942be49d145ee3b7ddf17d6bb. + +This patch is causing a null ptr issue, the proper fix is in the next +patch. + +Fixes: 3a4aa3cb8356 ("net/mlx5e: fix double free of encap_header in update funcs") +Signed-off-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/en/tc_tun.c | 20 +++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +index 4db0483c066a8..ccfc626c37d48 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +@@ -403,12 +403,16 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *priv, + if (err) + goto free_encap; + ++ e->encap_size = ipv4_encap_size; ++ kfree(e->encap_header); ++ e->encap_header = encap_header; ++ + if (!(nud_state & NUD_VALID)) { + neigh_event_send(attr.n, NULL); + /* the encap entry will be made valid on neigh update event + * and not used before that. + */ +- goto free_encap; ++ goto release_neigh; + } + + memset(&reformat_params, 0, sizeof(reformat_params)); +@@ -422,10 +426,6 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *priv, + goto free_encap; + } + +- e->encap_size = ipv4_encap_size; +- kfree(e->encap_header); +- e->encap_header = encap_header; +- + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev)); + mlx5e_route_lookup_ipv4_put(&attr); +@@ -669,12 +669,16 @@ int mlx5e_tc_tun_update_header_ipv6(struct mlx5e_priv *priv, + if (err) + goto free_encap; + ++ e->encap_size = ipv6_encap_size; ++ kfree(e->encap_header); ++ e->encap_header = encap_header; ++ + if (!(nud_state & NUD_VALID)) { + neigh_event_send(attr.n, NULL); + /* the encap entry will be made valid on neigh update event + * and not used before that. + */ +- goto free_encap; ++ goto release_neigh; + } + + memset(&reformat_params, 0, sizeof(reformat_params)); +@@ -688,10 +692,6 @@ int mlx5e_tc_tun_update_header_ipv6(struct mlx5e_priv *priv, + goto free_encap; + } + +- e->encap_size = ipv6_encap_size; +- kfree(e->encap_header); +- e->encap_header = encap_header; +- + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev)); + mlx5e_route_lookup_ipv6_put(&attr); +-- +2.43.0 + diff --git a/queue-6.1/revert-net-mlx5e-fix-double-free-of-encap_header.patch b/queue-6.1/revert-net-mlx5e-fix-double-free-of-encap_header.patch new file mode 100644 index 00000000000..e3f565b979a --- /dev/null +++ b/queue-6.1/revert-net-mlx5e-fix-double-free-of-encap_header.patch @@ -0,0 +1,67 @@ +From 895e918527edf22c4655ca6026a182b5d11432f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 13:52:28 +0100 +Subject: Revert "net/mlx5e: fix double free of encap_header" + +From: Vlad Buslov + +[ Upstream commit 5d089684dc434a31e08d32f0530066d0025c52e4 ] + +This reverts commit 6f9b1a0731662648949a1c0587f6acb3b7f8acf1. + +This patch is causing a null ptr issue, the proper fix is in the next +patch. + +Fixes: 6f9b1a073166 ("net/mlx5e: fix double free of encap_header") +Signed-off-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +index ccfc626c37d48..83bb0811e7741 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +@@ -300,6 +300,9 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv, + if (err) + goto destroy_neigh_entry; + ++ e->encap_size = ipv4_encap_size; ++ e->encap_header = encap_header; ++ + if (!(nud_state & NUD_VALID)) { + neigh_event_send(attr.n, NULL); + /* the encap entry will be made valid on neigh update event +@@ -319,8 +322,6 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv, + goto destroy_neigh_entry; + } + +- e->encap_size = ipv4_encap_size; +- e->encap_header = encap_header; + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev)); + mlx5e_route_lookup_ipv4_put(&attr); +@@ -567,6 +568,9 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv, + if (err) + goto destroy_neigh_entry; + ++ e->encap_size = ipv6_encap_size; ++ e->encap_header = encap_header; ++ + if (!(nud_state & NUD_VALID)) { + neigh_event_send(attr.n, NULL); + /* the encap entry will be made valid on neigh update event +@@ -586,8 +590,6 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv, + goto destroy_neigh_entry; + } + +- e->encap_size = ipv6_encap_size; +- e->encap_header = encap_header; + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev)); + mlx5e_route_lookup_ipv6_put(&attr); +-- +2.43.0 + diff --git a/queue-6.1/s390-vx-fix-save-restore-of-fpu-kernel-context.patch b/queue-6.1/s390-vx-fix-save-restore-of-fpu-kernel-context.patch new file mode 100644 index 00000000000..954fe00e562 --- /dev/null +++ b/queue-6.1/s390-vx-fix-save-restore-of-fpu-kernel-context.patch @@ -0,0 +1,49 @@ +From 1a9d9ec82a010cbc583e836615ba9085c0cfbaf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 15:03:15 +0100 +Subject: s390/vx: fix save/restore of fpu kernel context + +From: Heiko Carstens + +[ Upstream commit e6b2dab41888332bf83f592131e7ea07756770a4 ] + +The KERNEL_FPR mask only contains a flag for the first eight vector +registers. However floating point registers overlay parts of the first +sixteen vector registers. + +This could lead to vector register corruption if a kernel fpu context uses +any of the vector registers 8 to 15 and is interrupted or calls a +KERNEL_FPR context. If that context uses also vector registers 8 to 15, +their contents will be corrupted on return. + +Luckily this is currently not a real bug, since the kernel has only one +KERNEL_FPR user with s390_adjust_jiffies() and it is only using floating +point registers 0 to 2. + +Fix this by using the correct bits for KERNEL_FPR. + +Fixes: 7f79695cc1b6 ("s390/fpu: improve kernel_fpu_[begin|end]") +Signed-off-by: Heiko Carstens +Reviewed-by: Hendrik Brueckner +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/fpu/api.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/include/asm/fpu/api.h b/arch/s390/include/asm/fpu/api.h +index b714ed0ef6885..9acf48e53a87f 100644 +--- a/arch/s390/include/asm/fpu/api.h ++++ b/arch/s390/include/asm/fpu/api.h +@@ -79,7 +79,7 @@ static inline int test_fp_ctl(u32 fpc) + #define KERNEL_VXR_HIGH (KERNEL_VXR_V16V23|KERNEL_VXR_V24V31) + + #define KERNEL_VXR (KERNEL_VXR_LOW|KERNEL_VXR_HIGH) +-#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_V0V7) ++#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_LOW) + + struct kernel_fpu; + +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index d4ee11fc11b..36b53b3141b 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -3,3 +3,38 @@ bpf-fix-prog_array_map_poke_run-map-poke-update.patch hid-i2c-hid-acpi-unify-acpi-id-tables-format.patch hid-i2c-hid-add-idea5002-to-i2c_hid_acpi_blacklist.patch drm-amd-display-fix-hw-rotated-modes-when-psr-su-is-.patch +arm-dts-dra7-fix-dra7-l3-noc-node-register-size.patch +arm-omap2-fix-null-pointer-dereference-and-memory-le.patch +reset-fix-crash-when-freeing-non-existent-optional-r.patch +s390-vx-fix-save-restore-of-fpu-kernel-context.patch +wifi-iwlwifi-pcie-add-another-missing-bh-disable-for.patch +wifi-mac80211-check-if-the-existing-link-config-rema.patch +wifi-mac80211-mesh-check-element-parsing-succeeded.patch +wifi-mac80211-mesh_plink-fix-matches_local-logic.patch +revert-net-mlx5e-fix-double-free-of-encap_header-in-.patch +revert-net-mlx5e-fix-double-free-of-encap_header.patch +net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch +net-mlx5-introduce-and-use-opcode-getter-in-command-.patch +net-mlx5-prevent-high-rate-fw-commands-from-populati.patch +net-mlx5-re-organize-mlx5_cmd-struct.patch +net-mlx5e-fix-a-race-in-command-alloc-flow.patch +net-mlx5e-fix-a-potential-double-free-in-fs_udp_crea.patch +net-mlx5-fix-fw-tracer-first-block-check.patch +net-mlx5e-correct-snprintf-truncation-handling-for-f.patch +net-mlx5e-correct-snprintf-truncation-handling-for-f.patch-17801 +net-mscc-ocelot-fix-emac-tx-rmon-stats-for-bucket-25.patch +octeontx2-pf-fix-graceful-exit-during-pfc-configurat.patch +net-return-error-from-sk_stream_wait_connect-if-sk_w.patch +net-sched-ife-fix-potential-use-after-free.patch +ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch +net-rose-fix-races-in-rose_kill_by_device.patch +bluetooth-fix-deadlock-in-vhci_send_frame.patch +bluetooth-hci_event-shut-up-a-false-positive-warning.patch +net-mana-select-page_pool.patch +net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch +afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch +afs-fix-dynamic-root-lookup-dns-check.patch +net-check-dev-gso_max_size-in-gso_features_check.patch +keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch +afs-fix-overwriting-of-result-of-dns-query.patch +afs-fix-use-after-free-due-to-get-remove-race-in-vol.patch diff --git a/queue-6.1/wifi-iwlwifi-pcie-add-another-missing-bh-disable-for.patch b/queue-6.1/wifi-iwlwifi-pcie-add-another-missing-bh-disable-for.patch new file mode 100644 index 00000000000..995d6e91701 --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-pcie-add-another-missing-bh-disable-for.patch @@ -0,0 +1,48 @@ +From 4c8044549a30288eed0c9a8710aea59a3e7e1cc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 18:32:02 +0200 +Subject: wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock + +From: Johannes Berg + +[ Upstream commit a4754182dc936b97ec7e9f6b08cdf7ed97ef9069 ] + +Evidently I had only looked at all the ones in rx.c, and missed this. +Add bh-disable to this use of the rxq->lock as well. + +Fixes: 25edc8f259c7 ("iwlwifi: pcie: properly implement NAPI") +Reported-by: Brian Norris +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231208183100.e79ad3dae649.I8f19713c4383707f8be7fc20ff5cc1ecf12429bb@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +index 39ab6526e6b85..796972f224326 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -3034,7 +3034,7 @@ static u32 iwl_trans_pcie_dump_rbs(struct iwl_trans *trans, + struct iwl_rxq *rxq = &trans_pcie->rxq[0]; + u32 i, r, j, rb_len = 0; + +- spin_lock(&rxq->lock); ++ spin_lock_bh(&rxq->lock); + + r = le16_to_cpu(iwl_get_closed_rb_stts(trans, rxq)) & 0x0FFF; + +@@ -3058,7 +3058,7 @@ static u32 iwl_trans_pcie_dump_rbs(struct iwl_trans *trans, + *data = iwl_fw_error_next_data(*data); + } + +- spin_unlock(&rxq->lock); ++ spin_unlock_bh(&rxq->lock); + + return rb_len; + } +-- +2.43.0 + diff --git a/queue-6.1/wifi-mac80211-check-if-the-existing-link-config-rema.patch b/queue-6.1/wifi-mac80211-check-if-the-existing-link-config-rema.patch new file mode 100644 index 00000000000..23dfd012e46 --- /dev/null +++ b/queue-6.1/wifi-mac80211-check-if-the-existing-link-config-rema.patch @@ -0,0 +1,89 @@ +From 6cc06d483f6f7ccc5984fb8b114e63b878e29ee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 20:17:47 +0800 +Subject: wifi: mac80211: check if the existing link config remains unchanged + +From: Edward Adam Davis + +[ Upstream commit c1393c132b906fbdf91f6d1c9eb2ef7a00cce64e ] + +[Syz report] +WARNING: CPU: 1 PID: 5067 at net/mac80211/rate.c:48 rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48 +Modules linked in: +CPU: 1 PID: 5067 Comm: syz-executor413 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +RIP: 0010:rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48 +Code: 48 c7 c2 00 46 0c 8c be 08 03 00 00 48 c7 c7 c0 45 0c 8c c6 05 70 79 0b 05 01 e8 1b a0 6f f7 e9 e0 fd ff ff e8 61 b3 8f f7 90 <0f> 0b 90 e9 36 ff ff ff e8 53 b3 8f f7 e8 5e 0b 78 f7 31 ff 89 c3 +RSP: 0018:ffffc90003c57248 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffff888016bc4000 RCX: ffffffff89f7d519 +RDX: ffff888076d43b80 RSI: ffffffff89f7d6df RDI: 0000000000000005 +RBP: ffff88801daaae20 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000001 +R13: 0000000000000000 R14: ffff888020030e20 R15: ffff888078f08000 +FS: 0000555556b94380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000005fdeb8 CR3: 0000000076d22000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + sta_apply_auth_flags.constprop.0+0x4b7/0x510 net/mac80211/cfg.c:1674 + sta_apply_parameters+0xaf1/0x16c0 net/mac80211/cfg.c:2002 + ieee80211_add_station+0x3fa/0x6c0 net/mac80211/cfg.c:2068 + rdev_add_station net/wireless/rdev-ops.h:201 [inline] + nl80211_new_station+0x13ba/0x1a70 net/wireless/nl80211.c:7603 + genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 + genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] + genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 + netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 + netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] + netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1368 + netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0xd5/0x180 net/socket.c:745 + ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 + ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 + __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +[Analysis] +It is inappropriate to make a link configuration change judgment on an +non-existent and non new link. + +[Fix] +Quickly exit when there is a existent link and the link configuration has not +changed. + +Fixes: b303835dabe0 ("wifi: mac80211: accept STA changes without link changes") +Reported-and-tested-by: syzbot+62d7eef57b09bfebcd84@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Link: https://msgid.link/tencent_DE67FF86DB92ED465489A36ECD2EDDCC8C06@qq.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 2ca442f485132..a2c4866080bd7 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1694,10 +1694,10 @@ static int sta_link_apply_parameters(struct ieee80211_local *local, + lockdep_is_held(&local->sta_mtx)); + + /* +- * If there are no changes, then accept a link that doesn't exist, ++ * If there are no changes, then accept a link that exist, + * unless it's a new link. + */ +- if (params->link_id < 0 && !new_link && ++ if (params->link_id >= 0 && !new_link && + !params->link_mac && !params->txpwr_set && + !params->supported_rates_len && + !params->ht_capa && !params->vht_capa && +-- +2.43.0 + diff --git a/queue-6.1/wifi-mac80211-mesh-check-element-parsing-succeeded.patch b/queue-6.1/wifi-mac80211-mesh-check-element-parsing-succeeded.patch new file mode 100644 index 00000000000..ff0c4f3a45b --- /dev/null +++ b/queue-6.1/wifi-mac80211-mesh-check-element-parsing-succeeded.patch @@ -0,0 +1,40 @@ +From 69ba66e921220d1bffc9faf7d77018196d116323 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 09:05:32 +0200 +Subject: wifi: mac80211: mesh: check element parsing succeeded + +From: Johannes Berg + +[ Upstream commit 1fc4a3eec50d726f4663ad3c0bb0158354d6647a ] + +ieee802_11_parse_elems() can return NULL, so we must +check for the return value. + +Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231211085121.93dea364f3d3.Ie87781c6c48979fb25a744b90af4a33dc2d83a28@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_plink.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c +index bd0b7c189adfa..c54acdc8d00ab 100644 +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -1230,6 +1230,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, + return; + } + elems = ieee802_11_parse_elems(baseaddr, len - baselen, true, NULL); +- mesh_process_plink_frame(sdata, mgmt, elems, rx_status); +- kfree(elems); ++ if (elems) { ++ mesh_process_plink_frame(sdata, mgmt, elems, rx_status); ++ kfree(elems); ++ } + } +-- +2.43.0 + diff --git a/queue-6.1/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch b/queue-6.1/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch new file mode 100644 index 00000000000..e47f7990cd6 --- /dev/null +++ b/queue-6.1/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch @@ -0,0 +1,52 @@ +From 317ee71f8752acc6b2d62d6c4355957f65ecf94e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 09:05:31 +0200 +Subject: wifi: mac80211: mesh_plink: fix matches_local logic + +From: Johannes Berg + +[ Upstream commit 8c386b166e2517cf3a123018e77941ec22625d0f ] + +During refactoring the "else" here got lost, add it back. + +Fixes: c99a89edb106 ("mac80211: factor out plink event gathering") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231211085121.795480fa0e0b.I017d501196a5bbdcd9afd33338d342d6fe1edd79@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_plink.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c +index c54acdc8d00ab..711c3377f428b 100644 +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -1051,8 +1051,8 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata, + case WLAN_SP_MESH_PEERING_OPEN: + if (!matches_local) + event = OPN_RJCT; +- if (!mesh_plink_free_count(sdata) || +- (sta->mesh->plid && sta->mesh->plid != plid)) ++ else if (!mesh_plink_free_count(sdata) || ++ (sta->mesh->plid && sta->mesh->plid != plid)) + event = OPN_IGNR; + else + event = OPN_ACPT; +@@ -1060,9 +1060,9 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata, + case WLAN_SP_MESH_PEERING_CONFIRM: + if (!matches_local) + event = CNF_RJCT; +- if (!mesh_plink_free_count(sdata) || +- sta->mesh->llid != llid || +- (sta->mesh->plid && sta->mesh->plid != plid)) ++ else if (!mesh_plink_free_count(sdata) || ++ sta->mesh->llid != llid || ++ (sta->mesh->plid && sta->mesh->plid != plid)) + event = CNF_IGNR; + else + event = CNF_ACPT; +-- +2.43.0 +