From: Greg Kroah-Hartman Date: Tue, 22 Apr 2025 07:55:25 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.1.135~89 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=18bfde15d65303f41ea45874277e61793cf0e03e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch filemap-fix-bounds-checking-in-filemap_read.patch ipv6-release-nexthop-on-device-removal.patch misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch mptcp-sockopt-fix-getting-ipv6_v6only.patch net-fix-crash-when-config-small-gso_max_size-gso_ipv4_max_size.patch net-mana-fix-error-handling-in-mana_create_txq-rxq-s-napi-cleanup.patch phonet-pep-fix-racy-skb_queue_empty-use.patch --- diff --git a/queue-5.15/bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch b/queue-5.15/bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch new file mode 100644 index 0000000000..ab2abb78a8 --- /dev/null +++ b/queue-5.15/bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch @@ -0,0 +1,125 @@ +From stable+bounces-132662-greg=kroah.com@vger.kernel.org Mon Apr 14 20:50:55 2025 +From: Harshit Mogalapalli +Date: Mon, 14 Apr 2025 11:50:19 -0700 +Subject: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq +To: stable@vger.kernel.org +Cc: vegard.nossum@oracle.com, Michal Schmidt , Selvin Xavier , Leon Romanovsky , Xiangyu Chen , Greg Kroah-Hartman , Harshit Mogalapalli +Message-ID: <20250414185023.2165422-3-harshit.m.mogalapalli@oracle.com> + +From: Michal Schmidt + +commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream. + +Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called +with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. +In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. +roundup_pow_of_two is documented as undefined for 0. + +Fix it in the one caller that had this combination. + +The undefined behavior was detected by UBSAN: + UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 + shift exponent 64 is too large for 64-bit type 'long unsigned int' + CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 + Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 + Call Trace: + + dump_stack_lvl+0x5d/0x80 + ubsan_epilogue+0x5/0x30 + __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec + __roundup_pow_of_two+0x25/0x35 [bnxt_re] + bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] + bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] + bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __kmalloc+0x1b6/0x4f0 + ? create_qp.part.0+0x128/0x1c0 [ib_core] + ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] + create_qp.part.0+0x128/0x1c0 [ib_core] + ib_create_qp_kernel+0x50/0xd0 [ib_core] + create_mad_qp+0x8e/0xe0 [ib_core] + ? __pfx_qp_event_handler+0x10/0x10 [ib_core] + ib_mad_init_device+0x2be/0x680 [ib_core] + add_client_context+0x10d/0x1a0 [ib_core] + enable_device_and_get+0xe0/0x1d0 [ib_core] + ib_register_device+0x53c/0x630 [ib_core] + ? srso_alias_return_thunk+0x5/0xfbef5 + bnxt_re_probe+0xbd8/0xe50 [bnxt_re] + ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] + auxiliary_bus_probe+0x49/0x80 + ? driver_sysfs_add+0x57/0xc0 + really_probe+0xde/0x340 + ? pm_runtime_barrier+0x54/0x90 + ? __pfx___driver_attach+0x10/0x10 + __driver_probe_device+0x78/0x110 + driver_probe_device+0x1f/0xa0 + __driver_attach+0xba/0x1c0 + bus_for_each_dev+0x8f/0xe0 + bus_add_driver+0x146/0x220 + driver_register+0x72/0xd0 + __auxiliary_driver_register+0x6e/0xd0 + ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] + bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] + ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] + do_one_initcall+0x5b/0x310 + do_init_module+0x90/0x250 + init_module_from_file+0x86/0xc0 + idempotent_init_module+0x121/0x2b0 + __x64_sys_finit_module+0x5e/0xb0 + do_syscall_64+0x82/0x160 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? syscall_exit_to_user_mode_prepare+0x149/0x170 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? syscall_exit_to_user_mode+0x75/0x230 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? do_syscall_64+0x8e/0x160 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __count_memcg_events+0x69/0x100 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? count_memcg_events.constprop.0+0x1a/0x30 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? handle_mm_fault+0x1f0/0x300 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? do_user_addr_fault+0x34e/0x640 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f4e5132821d + Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 + RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d + RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b + RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 + R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d + R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 + + ---[ end trace ]--- + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Signed-off-by: Michal Schmidt +Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com +Acked-by: Selvin Xavier +Signed-off-by: Leon Romanovsky +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +[Harshit: backport to 5.15.y, this is a clean cherrypick from 6.1.y +commit ] +Signed-off-by: Harshit Mogalapalli +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -1013,7 +1013,8 @@ int bnxt_qplib_create_qp(struct bnxt_qpl + hwq_attr.stride = sizeof(struct sq_sge); + hwq_attr.depth = bnxt_qplib_get_depth(sq); + hwq_attr.aux_stride = psn_sz; +- hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode); ++ hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode) ++ : 0; + hwq_attr.type = HWQ_TYPE_QUEUE; + rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr); + if (rc) diff --git a/queue-5.15/filemap-fix-bounds-checking-in-filemap_read.patch b/queue-5.15/filemap-fix-bounds-checking-in-filemap_read.patch new file mode 100644 index 0000000000..a8c7ca41b5 --- /dev/null +++ b/queue-5.15/filemap-fix-bounds-checking-in-filemap_read.patch @@ -0,0 +1,45 @@ +From stable+bounces-132664-greg=kroah.com@vger.kernel.org Mon Apr 14 20:50:56 2025 +From: Harshit Mogalapalli +Date: Mon, 14 Apr 2025 11:50:22 -0700 +Subject: filemap: Fix bounds checking in filemap_read() +To: stable@vger.kernel.org +Cc: vegard.nossum@oracle.com, Trond Myklebust , Mike Snitzer , Linus Torvalds , Harshit Mogalapalli +Message-ID: <20250414185023.2165422-6-harshit.m.mogalapalli@oracle.com> + +From: Trond Myklebust + +[ Upstream commit ace149e0830c380ddfce7e466fe860ca502fe4ee ] + +If the caller supplies an iocb->ki_pos value that is close to the +filesystem upper limit, and an iterator with a count that causes us to +overflow that limit, then filemap_read() enters an infinite loop. + +This behaviour was discovered when testing xfstests generic/525 with the +"localio" optimisation for loopback NFS mounts. + +Reported-by: Mike Snitzer +Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()") +Tested-by: Mike Snitzer +Signed-off-by: Trond Myklebust +Signed-off-by: Linus Torvalds +(cherry picked from commit ace149e0830c380ddfce7e466fe860ca502fe4ee) +[Harshit: Minor conflict resolved due to missing commit: 25d6a23e8d28 +("filemap: Convert filemap_get_read_batch() to use a folio_batch") in +5.15.y] +Signed-off-by: Harshit Mogalapalli +Signed-off-by: Greg Kroah-Hartman +--- + mm/filemap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2617,7 +2617,7 @@ ssize_t filemap_read(struct kiocb *iocb, + if (unlikely(!iov_iter_count(iter))) + return 0; + +- iov_iter_truncate(iter, inode->i_sb->s_maxbytes); ++ iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos); + pagevec_init(&pvec); + + do { diff --git a/queue-5.15/ipv6-release-nexthop-on-device-removal.patch b/queue-5.15/ipv6-release-nexthop-on-device-removal.patch new file mode 100644 index 0000000000..d1e4098199 --- /dev/null +++ b/queue-5.15/ipv6-release-nexthop-on-device-removal.patch @@ -0,0 +1,102 @@ +From stable+bounces-132666-greg=kroah.com@vger.kernel.org Mon Apr 14 20:51:11 2025 +From: Harshit Mogalapalli +Date: Mon, 14 Apr 2025 11:50:23 -0700 +Subject: ipv6: release nexthop on device removal +To: stable@vger.kernel.org +Cc: vegard.nossum@oracle.com, Paolo Abeni , Eric Dumazet , David Ahern , Jakub Kicinski , Harshit Mogalapalli +Message-ID: <20250414185023.2165422-7-harshit.m.mogalapalli@oracle.com> + +From: Paolo Abeni + +[ Upstream commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe ] + +The CI is hitting some aperiodic hangup at device removal time in the +pmtu.sh self-test: + +unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6 +ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at + dst_init+0x84/0x4a0 + dst_alloc+0x97/0x150 + ip6_dst_alloc+0x23/0x90 + ip6_rt_pcpu_alloc+0x1e6/0x520 + ip6_pol_route+0x56f/0x840 + fib6_rule_lookup+0x334/0x630 + ip6_route_output_flags+0x259/0x480 + ip6_dst_lookup_tail.constprop.0+0x5c2/0x940 + ip6_dst_lookup_flow+0x88/0x190 + udp_tunnel6_dst_lookup+0x2a7/0x4c0 + vxlan_xmit_one+0xbde/0x4a50 [vxlan] + vxlan_xmit+0x9ad/0xf20 [vxlan] + dev_hard_start_xmit+0x10e/0x360 + __dev_queue_xmit+0xf95/0x18c0 + arp_solicit+0x4a2/0xe00 + neigh_probe+0xaa/0xf0 + +While the first suspect is the dst_cache, explicitly tracking the dst +owing the last device reference via probes proved such dst is held by +the nexthop in the originating fib6_info. + +Similar to commit f5b51fe804ec ("ipv6: route: purge exception on +removal"), we need to explicitly release the originating fib info when +disconnecting a to-be-removed device from a live ipv6 dst: move the +fib6_info cleanup into ip6_dst_ifdown(). + +Tested running: + +./pmtu.sh cleanup_ipv6_exception + +in a tight loop for more than 400 iterations with no spat, running an +unpatched kernel I observed a splat every ~10 iterations. + +Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info") +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://patch.msgid.link/604c45c188c609b732286b47ac2a451a40f6cf6d.1730828007.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +(cherry picked from commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe) +[Harshit: Resolved conflict due to missing commit: e5f80fcf869a ("ipv6: +give an IPv6 dev to blackhole_netdev") and commit: b4cb4a1391dc ("net: +use unrcu_pointer() helper") in linux-5.15.y] +Signed-off-by: Harshit Mogalapalli +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -377,6 +377,7 @@ static void ip6_dst_ifdown(struct dst_en + struct inet6_dev *idev = rt->rt6i_idev; + struct net_device *loopback_dev = + dev_net(dev)->loopback_dev; ++ struct fib6_info *from; + + if (idev && idev->dev != loopback_dev) { + struct inet6_dev *loopback_idev = in6_dev_get(loopback_dev); +@@ -385,6 +386,8 @@ static void ip6_dst_ifdown(struct dst_en + in6_dev_put(idev); + } + } ++ from = xchg((__force struct fib6_info **)&rt->from, NULL); ++ fib6_info_release(from); + } + + static bool __rt6_check_expired(const struct rt6_info *rt) +@@ -1443,7 +1446,6 @@ static DEFINE_SPINLOCK(rt6_exception_loc + static void rt6_remove_exception(struct rt6_exception_bucket *bucket, + struct rt6_exception *rt6_ex) + { +- struct fib6_info *from; + struct net *net; + + if (!bucket || !rt6_ex) +@@ -1455,8 +1457,6 @@ static void rt6_remove_exception(struct + /* purge completely the exception to allow releasing the held resources: + * some [sk] cache may keep the dst around for unlimited time + */ +- from = xchg((__force struct fib6_info **)&rt6_ex->rt6i->from, NULL); +- fib6_info_release(from); + dst_dev_put(&rt6_ex->rt6i->dst); + + hlist_del_rcu(&rt6_ex->hlist); diff --git a/queue-5.15/misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch b/queue-5.15/misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch new file mode 100644 index 0000000000..fd5632226a --- /dev/null +++ b/queue-5.15/misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch @@ -0,0 +1,51 @@ +From f6cb7828c8e17520d4f5afb416515d3fae1af9a9 Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Tue, 25 Feb 2025 20:02:48 +0900 +Subject: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kunihiko Hayashi + +commit f6cb7828c8e17520d4f5afb416515d3fae1af9a9 upstream. + +After devm_request_irq() fails with error in pci_endpoint_test_request_irq(), +the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs +have been released. + +However, some requested IRQs remain unreleased, so there are still +/proc/irq/* entries remaining, and this results in WARN() with the +following message: + + remove_proc_entry: removing non-empty directory 'irq/30', leaking at least 'pci-endpoint-test.0' + WARNING: CPU: 0 PID: 202 at fs/proc/generic.c:719 remove_proc_entry +0x190/0x19c + +To solve this issue, set the number of remaining IRQs to test->num_irqs, +and release IRQs in advance by calling pci_endpoint_test_release_irq(). + +Cc: stable@vger.kernel.org +Fixes: e03327122e2c ("pci_endpoint_test: Add 2 ioctl commands") +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/20250225110252.28866-3-hayashi.kunihiko@socionext.com +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Kunihiko Hayashi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -262,6 +262,9 @@ fail: + break; + } + ++ test->num_irqs = i; ++ pci_endpoint_test_release_irq(test); ++ + return false; + } + diff --git a/queue-5.15/misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch b/queue-5.15/misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch new file mode 100644 index 0000000000..89b03e468c --- /dev/null +++ b/queue-5.15/misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch @@ -0,0 +1,54 @@ +From 919d14603dab6a9cf03ebbeb2cfa556df48737c8 Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Tue, 25 Feb 2025 20:02:49 +0900 +Subject: misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kunihiko Hayashi + +commit 919d14603dab6a9cf03ebbeb2cfa556df48737c8 upstream. + +There are two variables that indicate the interrupt type to be used +in the next test execution, global "irq_type" and "test->irq_type". + +The former is referenced from pci_endpoint_test_get_irq() to preserve +the current type for ioctl(PCITEST_GET_IRQTYPE). + +In the pci_endpoint_test_request_irq(), since this global variable +is referenced when an error occurs, the unintended error message is +displayed. + +For example, after running "pcitest -i 2", the following message +shows "MSI 3" even if the current IRQ type becomes "MSI-X": + + pci-endpoint-test 0000:01:00.0: Failed to request IRQ 30 for MSI 3 + SET IRQ TYPE TO MSI-X: NOT OKAY + +Fix this issue by using "test->irq_type" instead of global "irq_type". + +Cc: stable@vger.kernel.org +Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype") +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/20250225110252.28866-4-hayashi.kunihiko@socionext.com +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Kunihiko Hayashi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -245,7 +245,7 @@ static bool pci_endpoint_test_request_ir + return true; + + fail: +- switch (irq_type) { ++ switch (test->irq_type) { + case IRQ_TYPE_LEGACY: + dev_err(dev, "Failed to request IRQ %d for Legacy\n", + pci_irq_vector(pdev, i)); diff --git a/queue-5.15/misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch b/queue-5.15/misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch new file mode 100644 index 0000000000..2f3ba36fc7 --- /dev/null +++ b/queue-5.15/misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch @@ -0,0 +1,65 @@ +From baaef0a274cfb75f9b50eab3ef93205e604f662c Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Tue, 25 Feb 2025 20:02:50 +0900 +Subject: misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kunihiko Hayashi + +commit baaef0a274cfb75f9b50eab3ef93205e604f662c upstream. + +There are two variables that indicate the interrupt type to be used +in the next test execution, "irq_type" as global and "test->irq_type". + +The global is referenced from pci_endpoint_test_get_irq() to preserve +the current type for ioctl(PCITEST_GET_IRQTYPE). + +The type set in this function isn't reflected in the global "irq_type", +so ioctl(PCITEST_GET_IRQTYPE) returns the previous type. + +As a result, the wrong type is displayed in old version of "pcitest" +as follows: + + - Result of running "pcitest -i 0" + + SET IRQ TYPE TO LEGACY: OKAY + + - Result of running "pcitest -I" + + GET IRQ TYPE: MSI + +Whereas running the new version of "pcitest" in kselftest results in an +error as follows: + + # RUN pci_ep_basic.LEGACY_IRQ_TEST ... + # pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Expected 0 (0) == ret (1) + # pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Can't get Legacy IRQ type + +Fix this issue by propagating the current type to the global "irq_type". + +Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype") +Signed-off-by: Kunihiko Hayashi +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Niklas Cassel +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250225110252.28866-5-hayashi.kunihiko@socionext.com +Signed-off-by: Kunihiko Hayashi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -717,6 +717,7 @@ static bool pci_endpoint_test_set_irq(st + if (!pci_endpoint_test_request_irq(test)) + goto err; + ++ irq_type = test->irq_type; + return true; + + err: diff --git a/queue-5.15/mptcp-sockopt-fix-getting-ipv6_v6only.patch b/queue-5.15/mptcp-sockopt-fix-getting-ipv6_v6only.patch new file mode 100644 index 0000000000..ee76c10a81 --- /dev/null +++ b/queue-5.15/mptcp-sockopt-fix-getting-ipv6_v6only.patch @@ -0,0 +1,79 @@ +From 8c39633759885b6ff85f6d96cf445560e74df5e8 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Fri, 14 Mar 2025 21:11:32 +0100 +Subject: mptcp: sockopt: fix getting IPV6_V6ONLY + +From: Matthieu Baerts (NGI0) + +commit 8c39633759885b6ff85f6d96cf445560e74df5e8 upstream. + +When adding a socket option support in MPTCP, both the get and set parts +are supposed to be implemented. + +IPV6_V6ONLY support for the setsockopt part has been added a while ago, +but it looks like the get part got forgotten. It should have been +present as a way to verify a setting has been set as expected, and not +to act differently from TCP or any other socket types. + +Not supporting this getsockopt(IPV6_V6ONLY) blocks some apps which want +to check the default value, before doing extra actions. On Linux, the +default value is 0, but this can be changed with the net.ipv6.bindv6only +sysctl knob. On Windows, it is set to 1 by default. So supporting the +get part, like for all other socket options, is important. + +Everything was in place to expose it, just the last step was missing. +Only new code is added to cover this specific getsockopt(), that seems +safe. + +Fixes: c9b95a135987 ("mptcp: support IPV6_V6ONLY setsockopt") +Cc: stable@vger.kernel.org +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/550 +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-2-122dbb249db3@kernel.org +Signed-off-by: Paolo Abeni +[ Conflicts in sockopt.c in the context, because commit 3b1e21eb60e8 + ("mptcp: getsockopt: add support for IP_TOS") is not in this release. + The conflicts are in the context, the new helper can be added without + issue. It depends on mptcp_put_int_option() which has been added via + another backport, see commit 874aae15fbef ("mptcp: fix full TCP + keep-alive support"). ] +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/sockopt.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -793,6 +793,20 @@ static int mptcp_getsockopt_sol_tcp(stru + return -EOPNOTSUPP; + } + ++static int mptcp_getsockopt_v6(struct mptcp_sock *msk, int optname, ++ char __user *optval, int __user *optlen) ++{ ++ struct sock *sk = (void *)msk; ++ ++ switch (optname) { ++ case IPV6_V6ONLY: ++ return mptcp_put_int_option(msk, optval, optlen, ++ sk->sk_ipv6only); ++ } ++ ++ return -EOPNOTSUPP; ++} ++ + int mptcp_getsockopt(struct sock *sk, int level, int optname, + char __user *optval, int __user *option) + { +@@ -813,6 +827,8 @@ int mptcp_getsockopt(struct sock *sk, in + if (ssk) + return tcp_getsockopt(ssk, level, optname, optval, option); + ++ if (level == SOL_IPV6) ++ return mptcp_getsockopt_v6(msk, optname, optval, option); + if (level == SOL_TCP) + return mptcp_getsockopt_sol_tcp(msk, optname, optval, option); + return -EOPNOTSUPP; diff --git a/queue-5.15/net-fix-crash-when-config-small-gso_max_size-gso_ipv4_max_size.patch b/queue-5.15/net-fix-crash-when-config-small-gso_max_size-gso_ipv4_max_size.patch new file mode 100644 index 0000000000..2ed137cd85 --- /dev/null +++ b/queue-5.15/net-fix-crash-when-config-small-gso_max_size-gso_ipv4_max_size.patch @@ -0,0 +1,53 @@ +From stable+bounces-132665-greg=kroah.com@vger.kernel.org Mon Apr 14 20:50:59 2025 +From: Harshit Mogalapalli +Date: Mon, 14 Apr 2025 11:50:21 -0700 +Subject: net: fix crash when config small gso_max_size/gso_ipv4_max_size +To: stable@vger.kernel.org +Cc: vegard.nossum@oracle.com, Wang Liang , Eric Dumazet , Jakub Kicinski , Bin Lan , Sasha Levin , Harshit Mogalapalli +Message-ID: <20250414185023.2165422-5-harshit.m.mogalapalli@oracle.com> + +From: Wang Liang + +[ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ] + +Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow +in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, +because sk->sk_gso_max_size would be much bigger than device limits. +Call Trace: +tcp_write_xmit + tso_segs = tcp_init_tso_segs(skb, mss_now); + tcp_set_skb_tso_segs + tcp_skb_pcount_set + // skb->len = 524288, mss_now = 8 + // u16 tso_segs = 524288/8 = 65535 -> 0 + tso_segs = DIV_ROUND_UP(skb->len, mss_now) + BUG_ON(!tso_segs) +Add check for the minimum value of gso_max_size and gso_ipv4_max_size. + +Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation") +Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device") +Signed-off-by: Wang Liang +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com +Signed-off-by: Jakub Kicinski +[ Resolve minor conflicts to fix CVE-2024-50258 ] +Signed-off-by: Bin Lan +Signed-off-by: Sasha Levin +[Harshit: Clean cherrypick from 6.1.y commit] +Signed-off-by: Harshit Mogalapalli +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1899,7 +1899,7 @@ static const struct nla_policy ifla_poli + [IFLA_NUM_TX_QUEUES] = { .type = NLA_U32 }, + [IFLA_NUM_RX_QUEUES] = { .type = NLA_U32 }, + [IFLA_GSO_MAX_SEGS] = { .type = NLA_U32 }, +- [IFLA_GSO_MAX_SIZE] = { .type = NLA_U32 }, ++ [IFLA_GSO_MAX_SIZE] = NLA_POLICY_MIN(NLA_U32, MAX_TCP_HEADER + 1), + [IFLA_PHYS_PORT_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, + [IFLA_CARRIER_CHANGES] = { .type = NLA_U32 }, /* ignored */ + [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, diff --git a/queue-5.15/net-mana-fix-error-handling-in-mana_create_txq-rxq-s-napi-cleanup.patch b/queue-5.15/net-mana-fix-error-handling-in-mana_create_txq-rxq-s-napi-cleanup.patch new file mode 100644 index 0000000000..988b189ff5 --- /dev/null +++ b/queue-5.15/net-mana-fix-error-handling-in-mana_create_txq-rxq-s-napi-cleanup.patch @@ -0,0 +1,123 @@ +From stable+bounces-132661-greg=kroah.com@vger.kernel.org Mon Apr 14 20:50:44 2025 +From: Harshit Mogalapalli +Date: Mon, 14 Apr 2025 11:50:18 -0700 +Subject: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup +To: stable@vger.kernel.org +Cc: vegard.nossum@oracle.com, Souradeep Chakrabarti , Haiyang Zhang , Shradha Gupta , "David S. Miller" , Harshit Mogalapalli +Message-ID: <20250414185023.2165422-2-harshit.m.mogalapalli@oracle.com> + +From: Souradeep Chakrabarti + +[ Upstream commit b6ecc662037694488bfff7c9fd21c405df8411f2 ] + +Currently napi_disable() gets called during rxq and txq cleanup, +even before napi is enabled and hrtimer is initialized. It causes +kernel panic. + +? page_fault_oops+0x136/0x2b0 + ? page_counter_cancel+0x2e/0x80 + ? do_user_addr_fault+0x2f2/0x640 + ? refill_obj_stock+0xc4/0x110 + ? exc_page_fault+0x71/0x160 + ? asm_exc_page_fault+0x27/0x30 + ? __mmdrop+0x10/0x180 + ? __mmdrop+0xec/0x180 + ? hrtimer_active+0xd/0x50 + hrtimer_try_to_cancel+0x2c/0xf0 + hrtimer_cancel+0x15/0x30 + napi_disable+0x65/0x90 + mana_destroy_rxq+0x4c/0x2f0 + mana_create_rxq.isra.0+0x56c/0x6d0 + ? mana_uncfg_vport+0x50/0x50 + mana_alloc_queues+0x21b/0x320 + ? skb_dequeue+0x5f/0x80 + +Cc: stable@vger.kernel.org +Fixes: e1b5683ff62e ("net: mana: Move NAPI from EQ to CQ") +Signed-off-by: Souradeep Chakrabarti +Reviewed-by: Haiyang Zhang +Reviewed-by: Shradha Gupta +Signed-off-by: David S. Miller +(cherry picked from commit b6ecc662037694488bfff7c9fd21c405df8411f2) +[Harshit: conflicts resolved due to missing commit: ed5356b53f07 ("net: +mana: Add XDP support") and commit: d356abb95b98 ("net: mana: Add +counter for XDP_TX") in 5.15.y] +Signed-off-by: Harshit Mogalapalli +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microsoft/mana/mana.h | 2 ++ + drivers/net/ethernet/microsoft/mana/mana_en.c | 21 +++++++++++++-------- + 2 files changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/mana.h ++++ b/drivers/net/ethernet/microsoft/mana/mana.h +@@ -76,6 +76,8 @@ struct mana_txq { + + atomic_t pending_sends; + ++ bool napi_initialized; ++ + struct mana_stats stats; + }; + +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -1154,10 +1154,12 @@ static void mana_destroy_txq(struct mana + + for (i = 0; i < apc->num_queues; i++) { + napi = &apc->tx_qp[i].tx_cq.napi; +- napi_synchronize(napi); +- napi_disable(napi); +- netif_napi_del(napi); +- ++ if (apc->tx_qp[i].txq.napi_initialized) { ++ napi_synchronize(napi); ++ napi_disable(napi); ++ netif_napi_del(napi); ++ apc->tx_qp[i].txq.napi_initialized = false; ++ } + mana_destroy_wq_obj(apc, GDMA_SQ, apc->tx_qp[i].tx_object); + + mana_deinit_cq(apc, &apc->tx_qp[i].tx_cq); +@@ -1213,6 +1215,7 @@ static int mana_create_txq(struct mana_p + txq->ndev = net; + txq->net_txq = netdev_get_tx_queue(net, i); + txq->vp_offset = apc->tx_vp_offset; ++ txq->napi_initialized = false; + skb_queue_head_init(&txq->pending_skbs); + + memset(&spec, 0, sizeof(spec)); +@@ -1277,6 +1280,7 @@ static int mana_create_txq(struct mana_p + + netif_tx_napi_add(net, &cq->napi, mana_poll, NAPI_POLL_WEIGHT); + napi_enable(&cq->napi); ++ txq->napi_initialized = true; + + mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT); + } +@@ -1288,7 +1292,7 @@ out: + } + + static void mana_destroy_rxq(struct mana_port_context *apc, +- struct mana_rxq *rxq, bool validate_state) ++ struct mana_rxq *rxq, bool napi_initialized) + + { + struct gdma_context *gc = apc->ac->gdma_dev->gdma_context; +@@ -1302,12 +1306,13 @@ static void mana_destroy_rxq(struct mana + + napi = &rxq->rx_cq.napi; + +- if (validate_state) ++ if (napi_initialized) { + napi_synchronize(napi); + +- napi_disable(napi); +- netif_napi_del(napi); ++ napi_disable(napi); + ++ netif_napi_del(napi); ++ } + mana_destroy_wq_obj(apc, GDMA_RQ, rxq->rxobj); + + mana_deinit_cq(apc, &rxq->rx_cq); diff --git a/queue-5.15/phonet-pep-fix-racy-skb_queue_empty-use.patch b/queue-5.15/phonet-pep-fix-racy-skb_queue_empty-use.patch new file mode 100644 index 0000000000..522f892f32 --- /dev/null +++ b/queue-5.15/phonet-pep-fix-racy-skb_queue_empty-use.patch @@ -0,0 +1,85 @@ +From stable+bounces-132663-greg=kroah.com@vger.kernel.org Mon Apr 14 20:50:55 2025 +From: Harshit Mogalapalli +Date: Mon, 14 Apr 2025 11:50:20 -0700 +Subject: phonet/pep: fix racy skb_queue_empty() use +To: stable@vger.kernel.org +Cc: vegard.nossum@oracle.com, "Rémi Denis-Courmont" , "Paolo Abeni" , "Sasha Levin" , "Harshit Mogalapalli" +Message-ID: <20250414185023.2165422-4-harshit.m.mogalapalli@oracle.com> + +From: Rémi Denis-Courmont + +[ Upstream commit 7d2a894d7f487dcb894df023e9d3014cf5b93fe5 ] + +The receive queues are protected by their respective spin-lock, not +the socket lock. This could lead to skb_peek() unexpectedly +returning NULL or a pointer to an already dequeued socket buffer. + +Fixes: 9641458d3ec4 ("Phonet: Pipe End Point for Phonet Pipes protocol") +Signed-off-by: Rémi Denis-Courmont +Link: https://lore.kernel.org/r/20240218081214.4806-2-remi@remlab.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +[Harshit: backport to 5.15.y, clean cherrypick from 6.1.y commit] +Signed-off-by: Harshit Mogalapalli +Signed-off-by: Greg Kroah-Hartman +--- + net/phonet/pep.c | 41 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 32 insertions(+), 9 deletions(-) + +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -916,6 +916,37 @@ static int pep_sock_enable(struct sock * + return 0; + } + ++static unsigned int pep_first_packet_length(struct sock *sk) ++{ ++ struct pep_sock *pn = pep_sk(sk); ++ struct sk_buff_head *q; ++ struct sk_buff *skb; ++ unsigned int len = 0; ++ bool found = false; ++ ++ if (sock_flag(sk, SOCK_URGINLINE)) { ++ q = &pn->ctrlreq_queue; ++ spin_lock_bh(&q->lock); ++ skb = skb_peek(q); ++ if (skb) { ++ len = skb->len; ++ found = true; ++ } ++ spin_unlock_bh(&q->lock); ++ } ++ ++ if (likely(!found)) { ++ q = &sk->sk_receive_queue; ++ spin_lock_bh(&q->lock); ++ skb = skb_peek(q); ++ if (skb) ++ len = skb->len; ++ spin_unlock_bh(&q->lock); ++ } ++ ++ return len; ++} ++ + static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg) + { + struct pep_sock *pn = pep_sk(sk); +@@ -929,15 +960,7 @@ static int pep_ioctl(struct sock *sk, in + break; + } + +- lock_sock(sk); +- if (sock_flag(sk, SOCK_URGINLINE) && +- !skb_queue_empty(&pn->ctrlreq_queue)) +- answ = skb_peek(&pn->ctrlreq_queue)->len; +- else if (!skb_queue_empty(&sk->sk_receive_queue)) +- answ = skb_peek(&sk->sk_receive_queue)->len; +- else +- answ = 0; +- release_sock(sk); ++ answ = pep_first_packet_length(sk); + ret = put_user(answ, (int __user *)arg); + break; + diff --git a/queue-5.15/series b/queue-5.15/series index 8131f48490..2d983a0458 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -196,3 +196,13 @@ kvm-arm64-calculate-cptr_el2-traps-on-activating-traps.patch kvm-arm64-eagerly-switch-zcr_el-1-2.patch cpufreq-reference-count-policy-in-cpufreq_update_limits.patch kbuild-add-fno-builtin-wcslen.patch +mptcp-sockopt-fix-getting-ipv6_v6only.patch +misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch +misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch +misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch +ipv6-release-nexthop-on-device-removal.patch +net-fix-crash-when-config-small-gso_max_size-gso_ipv4_max_size.patch +filemap-fix-bounds-checking-in-filemap_read.patch +phonet-pep-fix-racy-skb_queue_empty-use.patch +bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch +net-mana-fix-error-handling-in-mana_create_txq-rxq-s-napi-cleanup.patch