From: Sasha Levin Date: Fri, 10 Jan 2025 14:26:06 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v6.1.125~69 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2900b272583091f27ee34dad05759d828f55cb06;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/bluetooth-hci_sync-fix-not-setting-random-address-wh.patch b/queue-6.1/bluetooth-hci_sync-fix-not-setting-random-address-wh.patch new file mode 100644 index 00000000000..9ce4a95f857 --- /dev/null +++ b/queue-6.1/bluetooth-hci_sync-fix-not-setting-random-address-wh.patch @@ -0,0 +1,76 @@ +From 698b70a319d48b971d4a6b8f9892a4304bfde549 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2024 15:42:09 -0500 +Subject: Bluetooth: hci_sync: Fix not setting Random Address when required + +From: Luiz Augusto von Dentz + +[ Upstream commit c2994b008492db033d40bd767be1620229a3035e ] + +This fixes errors such as the following when Own address type is set to +Random Address but it has not been programmed yet due to either be +advertising or connecting: + +< HCI Command: LE Set Exte.. (0x08|0x0041) plen 13 + Own address type: Random (0x03) + Filter policy: Ignore not in accept list (0x01) + PHYs: 0x05 + Entry 0: LE 1M + Type: Passive (0x00) + Interval: 60.000 msec (0x0060) + Window: 30.000 msec (0x0030) + Entry 1: LE Coded + Type: Passive (0x00) + Interval: 180.000 msec (0x0120) + Window: 90.000 msec (0x0090) +> HCI Event: Command Complete (0x0e) plen 4 + LE Set Extended Scan Parameters (0x08|0x0041) ncmd 1 + Status: Success (0x00) +< HCI Command: LE Set Exten.. (0x08|0x0042) plen 6 + Extended scan: Enabled (0x01) + Filter duplicates: Enabled (0x01) + Duration: 0 msec (0x0000) + Period: 0.00 sec (0x0000) +> HCI Event: Command Complete (0x0e) plen 4 + LE Set Extended Scan Enable (0x08|0x0042) ncmd 1 + Status: Invalid HCI Command Parameters (0x12) + +Fixes: c45074d68a9b ("Bluetooth: Fix not generating RPA when required") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index b7a7b2afaa04..c6108e68f5a9 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1006,9 +1006,9 @@ static bool adv_use_rpa(struct hci_dev *hdev, uint32_t flags) + + static int hci_set_random_addr_sync(struct hci_dev *hdev, bdaddr_t *rpa) + { +- /* If we're advertising or initiating an LE connection we can't +- * go ahead and change the random address at this time. This is +- * because the eventual initiator address used for the ++ /* If a random_addr has been set we're advertising or initiating an LE ++ * connection we can't go ahead and change the random address at this ++ * time. This is because the eventual initiator address used for the + * subsequently created connection will be undefined (some + * controllers use the new address and others the one we had + * when the operation started). +@@ -1016,8 +1016,9 @@ static int hci_set_random_addr_sync(struct hci_dev *hdev, bdaddr_t *rpa) + * In this kind of scenario skip the update and let the random + * address be updated at the next cycle. + */ +- if (hci_dev_test_flag(hdev, HCI_LE_ADV) || +- hci_lookup_le_connect(hdev)) { ++ if (bacmp(&hdev->random_addr, BDADDR_ANY) && ++ (hci_dev_test_flag(hdev, HCI_LE_ADV) || ++ hci_lookup_le_connect(hdev))) { + bt_dev_dbg(hdev, "Deferring random address update"); + hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); + return 0; +-- +2.39.5 + diff --git a/queue-6.1/bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch b/queue-6.1/bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch new file mode 100644 index 00000000000..dcafeff2d48 --- /dev/null +++ b/queue-6.1/bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch @@ -0,0 +1,47 @@ +From 89879e7cfeb3b30b078ce9216b38f510db4265a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 20:38:47 -0800 +Subject: bnxt_en: Fix possible memory leak when hwrm_req_replace fails + +From: Kalesh AP + +[ Upstream commit c8dafb0e4398dacc362832098a04b97da3b0395b ] + +When hwrm_req_replace() fails, the driver is not invoking bnxt_req_drop() +which could cause a memory leak. + +Fixes: bbf33d1d9805 ("bnxt_en: update all firmware calls to use the new APIs") +Reviewed-by: Pavan Chebbi +Signed-off-by: Kalesh AP +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20250104043849.3482067-2-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +index 2e54bf4fc7a7..c0f67db641c3 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -252,7 +252,7 @@ static int bnxt_send_msg(struct bnxt_en_dev *edev, unsigned int ulp_id, + + rc = hwrm_req_replace(bp, req, fw_msg->msg, fw_msg->msg_len); + if (rc) +- return rc; ++ goto drop_req; + + hwrm_req_timeout(bp, req, fw_msg->timeout); + resp = hwrm_req_hold(bp, req); +@@ -264,6 +264,7 @@ static int bnxt_send_msg(struct bnxt_en_dev *edev, unsigned int ulp_id, + + memcpy(fw_msg->resp, resp, resp_len); + } ++drop_req: + hwrm_req_drop(bp, req); + return rc; + } +-- +2.39.5 + diff --git a/queue-6.1/cxgb4-avoid-removal-of-uninserted-tid.patch b/queue-6.1/cxgb4-avoid-removal-of-uninserted-tid.patch new file mode 100644 index 00000000000..af0bf43016b --- /dev/null +++ b/queue-6.1/cxgb4-avoid-removal-of-uninserted-tid.patch @@ -0,0 +1,42 @@ +From 6cef5b467704c3a86ff189e2d1571b213edf8476 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 14:53:27 +0530 +Subject: cxgb4: Avoid removal of uninserted tid + +From: Anumula Murali Mohan Reddy + +[ Upstream commit 4c1224501e9d6c5fd12d83752f1c1b444e0e3418 ] + +During ARP failure, tid is not inserted but _c4iw_free_ep() +attempts to remove tid which results in error. +This patch fixes the issue by avoiding removal of uninserted tid. + +Fixes: 59437d78f088 ("cxgb4/chtls: fix ULD connection failures due to wrong TID base") +Signed-off-by: Anumula Murali Mohan Reddy +Signed-off-by: Potnuri Bharat Teja +Link: https://patch.msgid.link/20250103092327.1011925-1-anumula@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index 7ce112b95b62..c09240a5693b 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -1800,7 +1800,10 @@ void cxgb4_remove_tid(struct tid_info *t, unsigned int chan, unsigned int tid, + struct adapter *adap = container_of(t, struct adapter, tids); + struct sk_buff *skb; + +- WARN_ON(tid_out_of_range(&adap->tids, tid)); ++ if (tid_out_of_range(&adap->tids, tid)) { ++ dev_err(adap->pdev_dev, "tid %d out of range\n", tid); ++ return; ++ } + + if (t->tid_tab[tid - adap->tids.tid_base]) { + t->tid_tab[tid - adap->tids.tid_base] = NULL; +-- +2.39.5 + diff --git a/queue-6.1/ice-fix-incorrect-phy-settings-for-100-gb-s.patch b/queue-6.1/ice-fix-incorrect-phy-settings-for-100-gb-s.patch new file mode 100644 index 00000000000..82caa9761dc --- /dev/null +++ b/queue-6.1/ice-fix-incorrect-phy-settings-for-100-gb-s.patch @@ -0,0 +1,65 @@ +From 2fda5bf49fc75b59f069ef3ba78d6ccef77ce68c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 14:22:18 +0100 +Subject: ice: fix incorrect PHY settings for 100 GB/s + +From: Przemyslaw Korba + +[ Upstream commit 6c5b989116083a98f45aada548ff54e7a83a9c2d ] + +ptp4l application reports too high offset when ran on E823 device +with a 100GB/s link. Those values cannot go under 100ns, like in a +working case when using 100 GB/s cable. + +This is due to incorrect frequency settings on the PHY clocks for +100 GB/s speed. Changes are introduced to align with the internal +hardware documentation, and correctly initialize frequency in PHY +clocks with the frequency values that are in our HW spec. + +To reproduce the issue run ptp4l as a Time Receiver on E823 device, +and observe the offset, which will never approach values seen +in the PTP working case. + +Reproduction output: +ptp4l -i enp137s0f3 -m -2 -s -f /etc/ptp4l_8275.conf +ptp4l[5278.775]: master offset 12470 s2 freq +41288 path delay -3002 +ptp4l[5278.837]: master offset 10525 s2 freq +39202 path delay -3002 +ptp4l[5278.900]: master offset -24840 s2 freq -20130 path delay -3002 +ptp4l[5278.963]: master offset 10597 s2 freq +37908 path delay -3002 +ptp4l[5279.025]: master offset 8883 s2 freq +36031 path delay -3002 +ptp4l[5279.088]: master offset 7267 s2 freq +34151 path delay -3002 +ptp4l[5279.150]: master offset 5771 s2 freq +32316 path delay -3002 +ptp4l[5279.213]: master offset 4388 s2 freq +30526 path delay -3002 +ptp4l[5279.275]: master offset -30434 s2 freq -28485 path delay -3002 +ptp4l[5279.338]: master offset -28041 s2 freq -27412 path delay -3002 +ptp4l[5279.400]: master offset 7870 s2 freq +31118 path delay -3002 + +Fixes: 3a7496234d17 ("ice: implement basic E822 PTP support") +Reviewed-by: Milena Olech +Signed-off-by: Przemyslaw Korba +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ptp_consts.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_consts.h b/drivers/net/ethernet/intel/ice/ice_ptp_consts.h +index 4109aa3b2fcd..87ce20540f57 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp_consts.h ++++ b/drivers/net/ethernet/intel/ice/ice_ptp_consts.h +@@ -359,9 +359,9 @@ const struct ice_vernier_info_e822 e822_vernier[NUM_ICE_PTP_LNK_SPD] = { + /* rx_desk_rsgb_par */ + 644531250, /* 644.53125 MHz Reed Solomon gearbox */ + /* tx_desk_rsgb_pcs */ +- 644531250, /* 644.53125 MHz Reed Solomon gearbox */ ++ 390625000, /* 390.625 MHz Reed Solomon gearbox */ + /* rx_desk_rsgb_pcs */ +- 644531250, /* 644.53125 MHz Reed Solomon gearbox */ ++ 390625000, /* 390.625 MHz Reed Solomon gearbox */ + /* tx_fixed_delay */ + 1620, + /* pmd_adj_divisor */ +-- +2.39.5 + diff --git a/queue-6.1/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch b/queue-6.1/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch new file mode 100644 index 00000000000..e1acce906be --- /dev/null +++ b/queue-6.1/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch @@ -0,0 +1,45 @@ +From 6d7de904e3b2064ad494b10a2d876b520bab0e65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2024 19:27:12 +0100 +Subject: ieee802154: ca8210: Add missing check for kfifo_alloc() in + ca8210_probe() + +From: Keisuke Nishimura + +[ Upstream commit 2c87309ea741341c6722efdf1fb3f50dd427c823 ] + +ca8210_test_interface_init() returns the result of kfifo_alloc(), +which can be non-zero in case of an error. The caller, ca8210_probe(), +should check the return value and do error-handling if it fails. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Keisuke Nishimura +Reviewed-by: Simon Horman +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/20241029182712.318271-1-keisuke.nishimura@inria.fr +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index c2201e0adc46..1659bbffdb91 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -3078,7 +3078,11 @@ static int ca8210_probe(struct spi_device *spi_device) + spi_set_drvdata(priv->spi, priv); + if (IS_ENABLED(CONFIG_IEEE802154_CA8210_DEBUGFS)) { + cascoda_api_upstream = ca8210_test_int_driver_write; +- ca8210_test_interface_init(priv); ++ ret = ca8210_test_interface_init(priv); ++ if (ret) { ++ dev_crit(&spi_device->dev, "ca8210_test_interface_init failed\n"); ++ goto error; ++ } + } else { + cascoda_api_upstream = NULL; + } +-- +2.39.5 + diff --git a/queue-6.1/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch b/queue-6.1/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch new file mode 100644 index 00000000000..2e0019d6720 --- /dev/null +++ b/queue-6.1/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch @@ -0,0 +1,56 @@ +From 4a033f1bd2a068700515b2e6749e20e4d849fb6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 20:23:00 -0500 +Subject: net: 802: LLC+SNAP OID:PID lookup on start of skb data + +From: Antonio Pastor + +[ Upstream commit 1e9b0e1c550c42c13c111d1a31e822057232abc4 ] + +802.2+LLC+SNAP frames received by napi_complete_done() with GRO and DSA +have skb->transport_header set two bytes short, or pointing 2 bytes +before network_header & skb->data. This was an issue as snap_rcv() +expected offset to point to SNAP header (OID:PID), causing packet to +be dropped. + +A fix at llc_fixup_skb() (a024e377efed) resets transport_header for any +LLC consumers that may care about it, and stops SNAP packets from being +dropped, but doesn't fix the problem which is that LLC and SNAP should +not use transport_header offset. + +Ths patch eliminates the use of transport_header offset for SNAP lookup +of OID:PID so that SNAP does not rely on the offset at all. +The offset is reset after pull for any SNAP packet consumers that may +(but shouldn't) use it. + +Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()") +Signed-off-by: Antonio Pastor +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250103012303.746521-1-antonio.pastor@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/802/psnap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/802/psnap.c b/net/802/psnap.c +index 1406bfdbda13..dbd9647f2ef1 100644 +--- a/net/802/psnap.c ++++ b/net/802/psnap.c +@@ -55,11 +55,11 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, + goto drop; + + rcu_read_lock(); +- proto = find_snap_client(skb_transport_header(skb)); ++ proto = find_snap_client(skb->data); + if (proto) { + /* Pass the frame on. */ +- skb->transport_header += 5; + skb_pull_rcsum(skb, 5); ++ skb_reset_transport_header(skb); + rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); + } + rcu_read_unlock(); +-- +2.39.5 + diff --git a/queue-6.1/net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch b/queue-6.1/net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch new file mode 100644 index 00000000000..e6b944eb70b --- /dev/null +++ b/queue-6.1/net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch @@ -0,0 +1,96 @@ +From e526c88c77e58ff9018ecd16eae32c74ffeb6567 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:38 +0800 +Subject: net: hns3: fix kernel crash when 1588 is sent on HIP08 devices + +From: Jie Wang + +[ Upstream commit 2cf246143519ecc11dab754385ec42d78b6b6a05 ] + +Currently, HIP08 devices does not register the ptp devices, so the +hdev->ptp is NULL. But the tx process would still try to set hardware time +stamp info with SKBTX_HW_TSTAMP flag and cause a kernel crash. + +[ 128.087798] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 +... +[ 128.280251] pc : hclge_ptp_set_tx_info+0x2c/0x140 [hclge] +[ 128.286600] lr : hclge_ptp_set_tx_info+0x20/0x140 [hclge] +[ 128.292938] sp : ffff800059b93140 +[ 128.297200] x29: ffff800059b93140 x28: 0000000000003280 +[ 128.303455] x27: ffff800020d48280 x26: ffff0cb9dc814080 +[ 128.309715] x25: ffff0cb9cde93fa0 x24: 0000000000000001 +[ 128.315969] x23: 0000000000000000 x22: 0000000000000194 +[ 128.322219] x21: ffff0cd94f986000 x20: 0000000000000000 +[ 128.328462] x19: ffff0cb9d2a166c0 x18: 0000000000000000 +[ 128.334698] x17: 0000000000000000 x16: ffffcf1fc523ed24 +[ 128.340934] x15: 0000ffffd530a518 x14: 0000000000000000 +[ 128.347162] x13: ffff0cd6bdb31310 x12: 0000000000000368 +[ 128.353388] x11: ffff0cb9cfbc7070 x10: ffff2cf55dd11e02 +[ 128.359606] x9 : ffffcf1f85a212b4 x8 : ffff0cd7cf27dab0 +[ 128.365831] x7 : 0000000000000a20 x6 : ffff0cd7cf27d000 +[ 128.372040] x5 : 0000000000000000 x4 : 000000000000ffff +[ 128.378243] x3 : 0000000000000400 x2 : ffffcf1f85a21294 +[ 128.384437] x1 : ffff0cb9db520080 x0 : ffff0cb9db500080 +[ 128.390626] Call trace: +[ 128.393964] hclge_ptp_set_tx_info+0x2c/0x140 [hclge] +[ 128.399893] hns3_nic_net_xmit+0x39c/0x4c4 [hns3] +[ 128.405468] xmit_one.constprop.0+0xc4/0x200 +[ 128.410600] dev_hard_start_xmit+0x54/0xf0 +[ 128.415556] sch_direct_xmit+0xe8/0x634 +[ 128.420246] __dev_queue_xmit+0x224/0xc70 +[ 128.425101] dev_queue_xmit+0x1c/0x40 +[ 128.429608] ovs_vport_send+0xac/0x1a0 [openvswitch] +[ 128.435409] do_output+0x60/0x17c [openvswitch] +[ 128.440770] do_execute_actions+0x898/0x8c4 [openvswitch] +[ 128.446993] ovs_execute_actions+0x64/0xf0 [openvswitch] +[ 128.453129] ovs_dp_process_packet+0xa0/0x224 [openvswitch] +[ 128.459530] ovs_vport_receive+0x7c/0xfc [openvswitch] +[ 128.465497] internal_dev_xmit+0x34/0xb0 [openvswitch] +[ 128.471460] xmit_one.constprop.0+0xc4/0x200 +[ 128.476561] dev_hard_start_xmit+0x54/0xf0 +[ 128.481489] __dev_queue_xmit+0x968/0xc70 +[ 128.486330] dev_queue_xmit+0x1c/0x40 +[ 128.490856] ip_finish_output2+0x250/0x570 +[ 128.495810] __ip_finish_output+0x170/0x1e0 +[ 128.500832] ip_finish_output+0x3c/0xf0 +[ 128.505504] ip_output+0xbc/0x160 +[ 128.509654] ip_send_skb+0x58/0xd4 +[ 128.513892] udp_send_skb+0x12c/0x354 +[ 128.518387] udp_sendmsg+0x7a8/0x9c0 +[ 128.522793] inet_sendmsg+0x4c/0x8c +[ 128.527116] __sock_sendmsg+0x48/0x80 +[ 128.531609] __sys_sendto+0x124/0x164 +[ 128.536099] __arm64_sys_sendto+0x30/0x5c +[ 128.540935] invoke_syscall+0x50/0x130 +[ 128.545508] el0_svc_common.constprop.0+0x10c/0x124 +[ 128.551205] do_el0_svc+0x34/0xdc +[ 128.555347] el0_svc+0x20/0x30 +[ 128.559227] el0_sync_handler+0xb8/0xc0 +[ 128.563883] el0_sync+0x160/0x180 + +Fixes: 0bf5eb788512 ("net: hns3: add support for PTP") +Signed-off-by: Jie Wang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c +index 0f06f95b09bc..8802cdd6403e 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c +@@ -70,6 +70,9 @@ bool hclge_ptp_set_tx_info(struct hnae3_handle *handle, struct sk_buff *skb) + struct hclge_dev *hdev = vport->back; + struct hclge_ptp *ptp = hdev->ptp; + ++ if (!ptp) ++ return false; ++ + if (!test_bit(HCLGE_PTP_FLAG_TX_EN, &ptp->flags) || + test_and_set_bit(HCLGE_STATE_PTP_TX_HANDLING, &hdev->state)) { + ptp->tx_skipped++; +-- +2.39.5 + diff --git a/queue-6.1/net-hns3-fix-missing-features-due-to-dev-features-co.patch b/queue-6.1/net-hns3-fix-missing-features-due-to-dev-features-co.patch new file mode 100644 index 00000000000..5beea7dcaba --- /dev/null +++ b/queue-6.1/net-hns3-fix-missing-features-due-to-dev-features-co.patch @@ -0,0 +1,39 @@ +From 713c2d2cfa899a00d72784c1d0812c7aa2cd56d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:33 +0800 +Subject: net: hns3: fix missing features due to dev->features configuration + too early + +From: Hao Lan + +[ Upstream commit 662ecfc46690e92cf630f51b5d4bbbcffe102980 ] + +Currently, the netdev->features is configured in hns3_nic_set_features. +As a result, __netdev_update_features considers that there is no feature +difference, and the procedures of the real features are missing. + +Fixes: 2a7556bb2b73 ("net: hns3: implement ndo_features_check ops for hns3 driver") +Signed-off-by: Hao Lan +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 0377a056aaec..52e205be4ec2 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -2455,7 +2455,6 @@ static int hns3_nic_set_features(struct net_device *netdev, + return ret; + } + +- netdev->features = features; + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.1/net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch b/queue-6.1/net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch new file mode 100644 index 00000000000..6bc03544701 --- /dev/null +++ b/queue-6.1/net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch @@ -0,0 +1,45 @@ +From f2ac81ac141cb8be6a90312e52f7e38c2e82973b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:36 +0800 +Subject: net: hns3: initialize reset_timer before hclgevf_misc_irq_init() + +From: Jian Shen + +[ Upstream commit d1c2e2961ab460ac2433ff8ad46000582abc573c ] + +Currently the misc irq is initialized before reset_timer setup. But +it will access the reset_timer in the irq handler. So initialize +the reset_timer earlier. + +Fixes: ff200099d271 ("net: hns3: remove unnecessary work in hclgevf_main") +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index aebb104f4c29..89560484bf46 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -2307,6 +2307,7 @@ static void hclgevf_state_init(struct hclgevf_dev *hdev) + clear_bit(HCLGEVF_STATE_RST_FAIL, &hdev->state); + + INIT_DELAYED_WORK(&hdev->service_task, hclgevf_service_task); ++ timer_setup(&hdev->reset_timer, hclgevf_reset_timer, 0); + + mutex_init(&hdev->mbx_resp.mbx_mutex); + sema_init(&hdev->reset_sem, 1); +@@ -3005,7 +3006,6 @@ static int hclgevf_init_hdev(struct hclgevf_dev *hdev) + HCLGEVF_DRIVER_NAME); + + hclgevf_task_schedule(hdev, round_jiffies_relative(HZ)); +- timer_setup(&hdev->reset_timer, hclgevf_reset_timer, 0); + + return 0; + +-- +2.39.5 + diff --git a/queue-6.1/net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch b/queue-6.1/net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch new file mode 100644 index 00000000000..cee9c839547 --- /dev/null +++ b/queue-6.1/net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch @@ -0,0 +1,47 @@ +From 6da1c148558087b44baa5612c175ec41546ebb71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:34 +0800 +Subject: net: hns3: Resolved the issue that the debugfs query result is + inconsistent. + +From: Hao Lan + +[ Upstream commit 2758f18a83ef283d50c0566d3f672621cc658a1a ] + +This patch modifies the implementation of debugfs: +When the user process stops unexpectedly, not all data of the file system +is read. In this case, the save_buf pointer is not released. When the user +process is called next time, save_buf is used to copy the cached data +to the user space. As a result, the queried data is inconsistent. To solve +this problem, determine whether the function is invoked for the first time +based on the value of *ppos. If *ppos is 0, obtain the actual data. + +Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process") +Signed-off-by: Hao Lan +Signed-off-by: Guangwei Zhang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index d2603cfc122c..87720a74341b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -1279,8 +1279,10 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, + + /* save the buffer addr until the last read operation */ + *save_buf = read_buf; ++ } + +- /* get data ready for the first time to read */ ++ /* get data ready for the first time to read */ ++ if (!*ppos) { + ret = hns3_dbg_read_cmd(dbg_data, hns3_dbg_cmd[index].cmd, + read_buf, hns3_dbg_cmd[index].buf_len); + if (ret) +-- +2.39.5 + diff --git a/queue-6.1/net-mlx5-fix-variable-not-being-completed-when-funct.patch b/queue-6.1/net-mlx5-fix-variable-not-being-completed-when-funct.patch new file mode 100644 index 00000000000..78a6d63ee8d --- /dev/null +++ b/queue-6.1/net-mlx5-fix-variable-not-being-completed-when-funct.patch @@ -0,0 +1,62 @@ +From 8ee1a82437de809a641a9d83be604ec117373cf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 11:00:09 +0800 +Subject: net/mlx5: Fix variable not being completed when function returns + +From: Chenguang Zhao + +[ Upstream commit 0e2909c6bec9048f49d0c8e16887c63b50b14647 ] + +When cmd_alloc_index(), fails cmd_work_handler() needs +to complete ent->slotted before returning early. +Otherwise the task which issued the command may hang: + + mlx5_core 0000:01:00.0: cmd_work_handler:877:(pid 3880418): failed to allocate command entry + INFO: task kworker/13:2:4055883 blocked for more than 120 seconds. + Not tainted 4.19.90-25.44.v2101.ky10.aarch64 #1 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + kworker/13:2 D 0 4055883 2 0x00000228 + Workqueue: events mlx5e_tx_dim_work [mlx5_core] + Call trace: + __switch_to+0xe8/0x150 + __schedule+0x2a8/0x9b8 + schedule+0x2c/0x88 + schedule_timeout+0x204/0x478 + wait_for_common+0x154/0x250 + wait_for_completion+0x28/0x38 + cmd_exec+0x7a0/0xa00 [mlx5_core] + mlx5_cmd_exec+0x54/0x80 [mlx5_core] + mlx5_core_modify_cq+0x6c/0x80 [mlx5_core] + mlx5_core_modify_cq_moderation+0xa0/0xb8 [mlx5_core] + mlx5e_tx_dim_work+0x54/0x68 [mlx5_core] + process_one_work+0x1b0/0x448 + worker_thread+0x54/0x468 + kthread+0x134/0x138 + ret_from_fork+0x10/0x18 + +Fixes: 485d65e13571 ("net/mlx5: Add a timeout to acquire the command queue semaphore") +Signed-off-by: Chenguang Zhao +Reviewed-by: Moshe Shemesh +Acked-by: Tariq Toukan +Link: https://patch.msgid.link/20250108030009.68520-1-zhaochenguang@kylinos.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 4a1eb6cd699c..6dbb4021fd2f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1003,6 +1003,7 @@ static void cmd_work_handler(struct work_struct *work) + complete(&ent->done); + } + up(&cmd->vars.sem); ++ complete(&ent->slotted); + return; + } + } else { +-- +2.39.5 + diff --git a/queue-6.1/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch b/queue-6.1/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch new file mode 100644 index 00000000000..2f23139ed48 --- /dev/null +++ b/queue-6.1/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch @@ -0,0 +1,74 @@ +From 05e7d0fd02a53afbc04462eb87cdbe09d83e7a41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 10:45:46 +0000 +Subject: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute + +From: Eric Dumazet + +[ Upstream commit a039e54397c6a75b713b9ce7894a62e06956aa92 ] + +syzbot found that TCA_FLOW_RSHIFT attribute was not validated. +Right shitfing a 32bit integer is undefined for large shift values. + +UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 +shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') +CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Workqueue: ipv6_addrconf addrconf_dad_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + ubsan_epilogue lib/ubsan.c:231 [inline] + __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 + flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 + tc_classify include/net/tc_wrapper.h:197 [inline] + __tcf_classify net/sched/cls_api.c:1771 [inline] + tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 + sfb_classify net/sched/sch_sfb.c:260 [inline] + sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 + dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 + __dev_xmit_skb net/core/dev.c:3889 [inline] + __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 + dev_queue_xmit include/linux/netdevice.h:3168 [inline] + neigh_hh_output include/net/neighbour.h:523 [inline] + neigh_output include/net/neighbour.h:537 [inline] + ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 + iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 + udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 + geneve_xmit_skb drivers/net/geneve.c:916 [inline] + geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 + __netdev_start_xmit include/linux/netdevice.h:5002 [inline] + netdev_start_xmit include/linux/netdevice.h:5011 [inline] + xmit_one net/core/dev.c:3590 [inline] + dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 + __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434 + +Fixes: e5dfb815181f ("[NET_SCHED]: Add flow classifier") +Reported-by: syzbot+1dbb57d994e54aaa04d2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6777bf49.050a0220.178762.0040.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250103104546.3714168-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_flow.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c +index 014cd3de7b5d..7657d86ad142 100644 +--- a/net/sched/cls_flow.c ++++ b/net/sched/cls_flow.c +@@ -354,7 +354,8 @@ static const struct nla_policy flow_policy[TCA_FLOW_MAX + 1] = { + [TCA_FLOW_KEYS] = { .type = NLA_U32 }, + [TCA_FLOW_MODE] = { .type = NLA_U32 }, + [TCA_FLOW_BASECLASS] = { .type = NLA_U32 }, +- [TCA_FLOW_RSHIFT] = { .type = NLA_U32 }, ++ [TCA_FLOW_RSHIFT] = NLA_POLICY_MAX(NLA_U32, ++ 31 /* BITS_PER_U32 - 1 */), + [TCA_FLOW_ADDEND] = { .type = NLA_U32 }, + [TCA_FLOW_MASK] = { .type = NLA_U32 }, + [TCA_FLOW_XOR] = { .type = NLA_U32 }, +-- +2.39.5 + diff --git a/queue-6.1/netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch b/queue-6.1/netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch new file mode 100644 index 00000000000..6a1fcb8afed --- /dev/null +++ b/queue-6.1/netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch @@ -0,0 +1,48 @@ +From cae372154fb5dd03c272718114a0c3e1e90bd8c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 22:56:33 +0100 +Subject: netfilter: conntrack: clamp maximum hashtable size to INT_MAX + +From: Pablo Neira Ayuso + +[ Upstream commit b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13 ] + +Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it +is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when +resizing hashtable because __GFP_NOWARN is unset. See: + + 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls") + +Note: hashtable resize is only possible from init_netns. + +Fixes: 9cc1c73ad666 ("netfilter: conntrack: avoid integer overflow when resizing") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 024f93fc8c0b..b7b2ed05ac50 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -2591,12 +2591,15 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls) + struct hlist_nulls_head *hash; + unsigned int nr_slots, i; + +- if (*sizep > (UINT_MAX / sizeof(struct hlist_nulls_head))) ++ if (*sizep > (INT_MAX / sizeof(struct hlist_nulls_head))) + return NULL; + + BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head)); + nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head)); + ++ if (nr_slots > (INT_MAX / sizeof(struct hlist_nulls_head))) ++ return NULL; ++ + hash = kvcalloc(nr_slots, sizeof(struct hlist_nulls_head), GFP_KERNEL); + + if (hash && nulls) +-- +2.39.5 + diff --git a/queue-6.1/netfilter-nf_tables-imbalance-in-flowtable-binding.patch b/queue-6.1/netfilter-nf_tables-imbalance-in-flowtable-binding.patch new file mode 100644 index 00000000000..5d7d44946e3 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-imbalance-in-flowtable-binding.patch @@ -0,0 +1,117 @@ +From d43ccc9c3761dfd41fdd81449f2a82d4ee1edfba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 13:01:13 +0100 +Subject: netfilter: nf_tables: imbalance in flowtable binding + +From: Pablo Neira Ayuso + +[ Upstream commit 13210fc63f353fe78584048079343413a3cdf819 ] + +All these cases cause imbalance between BIND and UNBIND calls: + +- Delete an interface from a flowtable with multiple interfaces + +- Add a (device to a) flowtable with --check flag + +- Delete a netns containing a flowtable + +- In an interactive nft session, create a table with owner flag and + flowtable inside, then quit. + +Fix it by calling FLOW_BLOCK_UNBIND when unregistering hooks, then +remove late FLOW_BLOCK_UNBIND call when destroying flowtable. + +Fixes: ff4bf2f42a40 ("netfilter: nf_tables: add nft_unregister_flowtable_hook()") +Reported-by: Phil Sutter +Tested-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 07bcf9b7d779..8176533c50ab 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7979,6 +7979,7 @@ static void nft_unregister_flowtable_hook(struct net *net, + } + + static void __nft_unregister_flowtable_net_hooks(struct net *net, ++ struct nft_flowtable *flowtable, + struct list_head *hook_list, + bool release_netdev) + { +@@ -7986,6 +7987,8 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net, + + list_for_each_entry_safe(hook, next, hook_list, list) { + nf_unregister_net_hook(net, &hook->ops); ++ flowtable->data.type->setup(&flowtable->data, hook->ops.dev, ++ FLOW_BLOCK_UNBIND); + if (release_netdev) { + list_del(&hook->list); + kfree_rcu(hook, rcu); +@@ -7994,9 +7997,10 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net, + } + + static void nft_unregister_flowtable_net_hooks(struct net *net, ++ struct nft_flowtable *flowtable, + struct list_head *hook_list) + { +- __nft_unregister_flowtable_net_hooks(net, hook_list, false); ++ __nft_unregister_flowtable_net_hooks(net, flowtable, hook_list, false); + } + + static int nft_register_flowtable_net_hooks(struct net *net, +@@ -8618,8 +8622,6 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) + + flowtable->data.type->free(&flowtable->data); + list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { +- flowtable->data.type->setup(&flowtable->data, hook->ops.dev, +- FLOW_BLOCK_UNBIND); + list_del_rcu(&hook->list); + kfree_rcu(hook, rcu); + } +@@ -9902,6 +9904,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + &nft_trans_flowtable_hooks(trans), + NFT_MSG_DELFLOWTABLE); + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable_hooks(trans)); + } else { + list_del_rcu(&nft_trans_flowtable(trans)->list); +@@ -9910,6 +9913,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + &nft_trans_flowtable(trans)->hook_list, + NFT_MSG_DELFLOWTABLE); + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable(trans)->hook_list); + } + break; +@@ -10140,11 +10144,13 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + case NFT_MSG_NEWFLOWTABLE: + if (nft_trans_flowtable_update(trans)) { + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable_hooks(trans)); + } else { + nft_use_dec_restore(&trans->ctx.table->use); + list_del_rcu(&nft_trans_flowtable(trans)->list); + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable(trans)->hook_list); + } + break; +@@ -10685,7 +10691,8 @@ static void __nft_release_hook(struct net *net, struct nft_table *table) + list_for_each_entry(chain, &table->chains, list) + __nf_tables_unregister_hook(net, table, chain, true); + list_for_each_entry(flowtable, &table->flowtables, list) +- __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list, ++ __nft_unregister_flowtable_net_hooks(net, flowtable, ++ &flowtable->hook_list, + true); + } + +-- +2.39.5 + diff --git a/queue-6.1/sched-sch_cake-add-bounds-checks-to-host-bulk-flow-f.patch b/queue-6.1/sched-sch_cake-add-bounds-checks-to-host-bulk-flow-f.patch new file mode 100644 index 00000000000..65d8775c129 --- /dev/null +++ b/queue-6.1/sched-sch_cake-add-bounds-checks-to-host-bulk-flow-f.patch @@ -0,0 +1,290 @@ +From 97a8e648132b36b31eb634ae3b18f6d812d8a5f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2025 13:01:05 +0100 +Subject: sched: sch_cake: add bounds checks to host bulk flow fairness counts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 737d4d91d35b5f7fa5bb442651472277318b0bfd ] + +Even though we fixed a logic error in the commit cited below, syzbot +still managed to trigger an underflow of the per-host bulk flow +counters, leading to an out of bounds memory access. + +To avoid any such logic errors causing out of bounds memory accesses, +this commit factors out all accesses to the per-host bulk flow counters +to a series of helpers that perform bounds-checking before any +increments and decrements. This also has the benefit of improving +readability by moving the conditional checks for the flow mode into +these helpers, instead of having them spread out throughout the +code (which was the cause of the original logic error). + +As part of this change, the flow quantum calculation is consolidated +into a helper function, which means that the dithering applied to the +ost load scaling is now applied both in the DRR rotation and when a +sparse flow's quantum is first initiated. The only user-visible effect +of this is that the maximum packet size that can be sent while a flow +stays sparse will now vary with +/- one byte in some cases. This should +not make a noticeable difference in practice, and thus it's not worth +complicating the code to preserve the old behaviour. + +Fixes: 546ea84d07e3 ("sched: sch_cake: fix bulk flow accounting logic for host fairness") +Reported-by: syzbot+f63600d288bfb7057424@syzkaller.appspotmail.com +Signed-off-by: Toke Høiland-Jørgensen +Acked-by: Dave Taht +Link: https://patch.msgid.link/20250107120105.70685-1-toke@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 140 +++++++++++++++++++++++-------------------- + 1 file changed, 75 insertions(+), 65 deletions(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index eee9ebad35a5..12dd4d41605c 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -643,6 +643,63 @@ static bool cake_ddst(int flow_mode) + return (flow_mode & CAKE_FLOW_DUAL_DST) == CAKE_FLOW_DUAL_DST; + } + ++static void cake_dec_srchost_bulk_flow_count(struct cake_tin_data *q, ++ struct cake_flow *flow, ++ int flow_mode) ++{ ++ if (likely(cake_dsrc(flow_mode) && ++ q->hosts[flow->srchost].srchost_bulk_flow_count)) ++ q->hosts[flow->srchost].srchost_bulk_flow_count--; ++} ++ ++static void cake_inc_srchost_bulk_flow_count(struct cake_tin_data *q, ++ struct cake_flow *flow, ++ int flow_mode) ++{ ++ if (likely(cake_dsrc(flow_mode) && ++ q->hosts[flow->srchost].srchost_bulk_flow_count < CAKE_QUEUES)) ++ q->hosts[flow->srchost].srchost_bulk_flow_count++; ++} ++ ++static void cake_dec_dsthost_bulk_flow_count(struct cake_tin_data *q, ++ struct cake_flow *flow, ++ int flow_mode) ++{ ++ if (likely(cake_ddst(flow_mode) && ++ q->hosts[flow->dsthost].dsthost_bulk_flow_count)) ++ q->hosts[flow->dsthost].dsthost_bulk_flow_count--; ++} ++ ++static void cake_inc_dsthost_bulk_flow_count(struct cake_tin_data *q, ++ struct cake_flow *flow, ++ int flow_mode) ++{ ++ if (likely(cake_ddst(flow_mode) && ++ q->hosts[flow->dsthost].dsthost_bulk_flow_count < CAKE_QUEUES)) ++ q->hosts[flow->dsthost].dsthost_bulk_flow_count++; ++} ++ ++static u16 cake_get_flow_quantum(struct cake_tin_data *q, ++ struct cake_flow *flow, ++ int flow_mode) ++{ ++ u16 host_load = 1; ++ ++ if (cake_dsrc(flow_mode)) ++ host_load = max(host_load, ++ q->hosts[flow->srchost].srchost_bulk_flow_count); ++ ++ if (cake_ddst(flow_mode)) ++ host_load = max(host_load, ++ q->hosts[flow->dsthost].dsthost_bulk_flow_count); ++ ++ /* The get_random_u16() is a way to apply dithering to avoid ++ * accumulating roundoff errors ++ */ ++ return (q->flow_quantum * quantum_div[host_load] + ++ get_random_u16()) >> 16; ++} ++ + static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb, + int flow_mode, u16 flow_override, u16 host_override) + { +@@ -789,10 +846,8 @@ static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb, + allocate_dst = cake_ddst(flow_mode); + + if (q->flows[outer_hash + k].set == CAKE_SET_BULK) { +- if (allocate_src) +- q->hosts[q->flows[reduced_hash].srchost].srchost_bulk_flow_count--; +- if (allocate_dst) +- q->hosts[q->flows[reduced_hash].dsthost].dsthost_bulk_flow_count--; ++ cake_dec_srchost_bulk_flow_count(q, &q->flows[outer_hash + k], flow_mode); ++ cake_dec_dsthost_bulk_flow_count(q, &q->flows[outer_hash + k], flow_mode); + } + found: + /* reserve queue for future packets in same flow */ +@@ -817,9 +872,10 @@ static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb, + q->hosts[outer_hash + k].srchost_tag = srchost_hash; + found_src: + srchost_idx = outer_hash + k; +- if (q->flows[reduced_hash].set == CAKE_SET_BULK) +- q->hosts[srchost_idx].srchost_bulk_flow_count++; + q->flows[reduced_hash].srchost = srchost_idx; ++ ++ if (q->flows[reduced_hash].set == CAKE_SET_BULK) ++ cake_inc_srchost_bulk_flow_count(q, &q->flows[reduced_hash], flow_mode); + } + + if (allocate_dst) { +@@ -840,9 +896,10 @@ static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb, + q->hosts[outer_hash + k].dsthost_tag = dsthost_hash; + found_dst: + dsthost_idx = outer_hash + k; +- if (q->flows[reduced_hash].set == CAKE_SET_BULK) +- q->hosts[dsthost_idx].dsthost_bulk_flow_count++; + q->flows[reduced_hash].dsthost = dsthost_idx; ++ ++ if (q->flows[reduced_hash].set == CAKE_SET_BULK) ++ cake_inc_dsthost_bulk_flow_count(q, &q->flows[reduced_hash], flow_mode); + } + } + +@@ -1855,10 +1912,6 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + + /* flowchain */ + if (!flow->set || flow->set == CAKE_SET_DECAYING) { +- struct cake_host *srchost = &b->hosts[flow->srchost]; +- struct cake_host *dsthost = &b->hosts[flow->dsthost]; +- u16 host_load = 1; +- + if (!flow->set) { + list_add_tail(&flow->flowchain, &b->new_flows); + } else { +@@ -1868,18 +1921,8 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + flow->set = CAKE_SET_SPARSE; + b->sparse_flow_count++; + +- if (cake_dsrc(q->flow_mode)) +- host_load = max(host_load, srchost->srchost_bulk_flow_count); +- +- if (cake_ddst(q->flow_mode)) +- host_load = max(host_load, dsthost->dsthost_bulk_flow_count); +- +- flow->deficit = (b->flow_quantum * +- quantum_div[host_load]) >> 16; ++ flow->deficit = cake_get_flow_quantum(b, flow, q->flow_mode); + } else if (flow->set == CAKE_SET_SPARSE_WAIT) { +- struct cake_host *srchost = &b->hosts[flow->srchost]; +- struct cake_host *dsthost = &b->hosts[flow->dsthost]; +- + /* this flow was empty, accounted as a sparse flow, but actually + * in the bulk rotation. + */ +@@ -1887,12 +1930,8 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + b->sparse_flow_count--; + b->bulk_flow_count++; + +- if (cake_dsrc(q->flow_mode)) +- srchost->srchost_bulk_flow_count++; +- +- if (cake_ddst(q->flow_mode)) +- dsthost->dsthost_bulk_flow_count++; +- ++ cake_inc_srchost_bulk_flow_count(b, flow, q->flow_mode); ++ cake_inc_dsthost_bulk_flow_count(b, flow, q->flow_mode); + } + + if (q->buffer_used > q->buffer_max_used) +@@ -1949,13 +1988,11 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + { + struct cake_sched_data *q = qdisc_priv(sch); + struct cake_tin_data *b = &q->tins[q->cur_tin]; +- struct cake_host *srchost, *dsthost; + ktime_t now = ktime_get(); + struct cake_flow *flow; + struct list_head *head; + bool first_flow = true; + struct sk_buff *skb; +- u16 host_load; + u64 delay; + u32 len; + +@@ -2055,11 +2092,6 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + q->cur_flow = flow - b->flows; + first_flow = false; + +- /* triple isolation (modified DRR++) */ +- srchost = &b->hosts[flow->srchost]; +- dsthost = &b->hosts[flow->dsthost]; +- host_load = 1; +- + /* flow isolation (DRR++) */ + if (flow->deficit <= 0) { + /* Keep all flows with deficits out of the sparse and decaying +@@ -2071,11 +2103,8 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + b->sparse_flow_count--; + b->bulk_flow_count++; + +- if (cake_dsrc(q->flow_mode)) +- srchost->srchost_bulk_flow_count++; +- +- if (cake_ddst(q->flow_mode)) +- dsthost->dsthost_bulk_flow_count++; ++ cake_inc_srchost_bulk_flow_count(b, flow, q->flow_mode); ++ cake_inc_dsthost_bulk_flow_count(b, flow, q->flow_mode); + + flow->set = CAKE_SET_BULK; + } else { +@@ -2087,19 +2116,7 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + } + } + +- if (cake_dsrc(q->flow_mode)) +- host_load = max(host_load, srchost->srchost_bulk_flow_count); +- +- if (cake_ddst(q->flow_mode)) +- host_load = max(host_load, dsthost->dsthost_bulk_flow_count); +- +- WARN_ON(host_load > CAKE_QUEUES); +- +- /* The get_random_u16() is a way to apply dithering to avoid +- * accumulating roundoff errors +- */ +- flow->deficit += (b->flow_quantum * quantum_div[host_load] + +- get_random_u16()) >> 16; ++ flow->deficit += cake_get_flow_quantum(b, flow, q->flow_mode); + list_move_tail(&flow->flowchain, &b->old_flows); + + goto retry; +@@ -2123,11 +2140,8 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + if (flow->set == CAKE_SET_BULK) { + b->bulk_flow_count--; + +- if (cake_dsrc(q->flow_mode)) +- srchost->srchost_bulk_flow_count--; +- +- if (cake_ddst(q->flow_mode)) +- dsthost->dsthost_bulk_flow_count--; ++ cake_dec_srchost_bulk_flow_count(b, flow, q->flow_mode); ++ cake_dec_dsthost_bulk_flow_count(b, flow, q->flow_mode); + + b->decaying_flow_count++; + } else if (flow->set == CAKE_SET_SPARSE || +@@ -2145,12 +2159,8 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + else if (flow->set == CAKE_SET_BULK) { + b->bulk_flow_count--; + +- if (cake_dsrc(q->flow_mode)) +- srchost->srchost_bulk_flow_count--; +- +- if (cake_ddst(q->flow_mode)) +- dsthost->dsthost_bulk_flow_count--; +- ++ cake_dec_srchost_bulk_flow_count(b, flow, q->flow_mode); ++ cake_dec_dsthost_bulk_flow_count(b, flow, q->flow_mode); + } else + b->decaying_flow_count--; + +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index 3180901934b..3d1d081161f 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -10,3 +10,22 @@ exfat-fix-the-infinite-loop-in-exfat_readdir.patch exfat-fix-the-infinite-loop-in-__exfat_free_cluster.patch scripts-sorttable-fix-orc_sort_cmp-to-maintain-symme.patch asoc-mediatek-disable-buffer-pre-allocation.patch +ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch +net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch +tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch +tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch +net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch +bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch +cxgb4-avoid-removal-of-uninserted-tid.patch +ice-fix-incorrect-phy-settings-for-100-gb-s.patch +tls-fix-tls_sw_sendmsg-error-handling.patch +bluetooth-hci_sync-fix-not-setting-random-address-wh.patch +tcp-annotate-data-race-around-sk-sk_mark-in-tcp_v4_s.patch +net-hns3-fix-missing-features-due-to-dev-features-co.patch +net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch +net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch +net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch +netfilter-nf_tables-imbalance-in-flowtable-binding.patch +netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch +sched-sch_cake-add-bounds-checks-to-host-bulk-flow-f.patch +net-mlx5-fix-variable-not-being-completed-when-funct.patch diff --git a/queue-6.1/tcp-annotate-data-race-around-sk-sk_mark-in-tcp_v4_s.patch b/queue-6.1/tcp-annotate-data-race-around-sk-sk_mark-in-tcp_v4_s.patch new file mode 100644 index 00000000000..d799824c473 --- /dev/null +++ b/queue-6.1/tcp-annotate-data-race-around-sk-sk_mark-in-tcp_v4_s.patch @@ -0,0 +1,40 @@ +From 3d818b251f438acecddecb38a55ebf34b0806a2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2025 11:14:39 +0100 +Subject: tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset + +From: Daniel Borkmann + +[ Upstream commit 80fb40baba19e25a1b6f3ecff6fc5c0171806bde ] + +This is a follow-up to 3c5b4d69c358 ("net: annotate data-races around +sk->sk_mark"). sk->sk_mark can be read and written without holding +the socket lock. IPv6 equivalent is already covered with READ_ONCE() +annotation in tcp_v6_send_response(). + +Fixes: 3c5b4d69c358 ("net: annotate data-races around sk->sk_mark") +Signed-off-by: Daniel Borkmann +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/f459d1fc44f205e13f6d8bdca2c8bfb9902ffac9.1736244569.git.daniel@iogearbox.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 984435cb1013..805b1a9eca1c 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -832,7 +832,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + sock_net_set(ctl_sk, net); + if (sk) { + ctl_sk->sk_mark = (sk->sk_state == TCP_TIME_WAIT) ? +- inet_twsk(sk)->tw_mark : sk->sk_mark; ++ inet_twsk(sk)->tw_mark : READ_ONCE(sk->sk_mark); + ctl_sk->sk_priority = (sk->sk_state == TCP_TIME_WAIT) ? + inet_twsk(sk)->tw_priority : sk->sk_priority; + transmit_time = tcp_transmit_time(sk); +-- +2.39.5 + diff --git a/queue-6.1/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch b/queue-6.1/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch new file mode 100644 index 00000000000..4a549fa773a --- /dev/null +++ b/queue-6.1/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch @@ -0,0 +1,47 @@ +From 7e4468e5438b8cd4c128607f20b9ac3b545b680b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 17:14:26 +0000 +Subject: tcp/dccp: allow a connection when sk_max_ack_backlog is zero + +From: Zhongqiu Duan + +[ Upstream commit 3479c7549fb1dfa7a1db4efb7347c7b8ef50de4b ] + +If the backlog of listen() is set to zero, sk_acceptq_is_full() allows +one connection to be made, but inet_csk_reqsk_queue_is_full() does not. +When the net.ipv4.tcp_syncookies is zero, inet_csk_reqsk_queue_is_full() +will cause an immediate drop before the sk_acceptq_is_full() check in +tcp_conn_request(), resulting in no connection can be made. + +This patch tries to keep consistent with 64a146513f8f ("[NET]: Revert +incorrect accept queue backlog changes."). + +Link: https://lore.kernel.org/netdev/20250102080258.53858-1-kuniyu@amazon.com/ +Fixes: ef547f2ac16b ("tcp: remove max_qlen_log") +Signed-off-by: Zhongqiu Duan +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250102171426.915276-1-dzq.aishenghu0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/inet_connection_sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 1611fb656ea9..7649d4901f0c 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -281,7 +281,7 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk) + + static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) + { +- return inet_csk_reqsk_queue_len(sk) >= READ_ONCE(sk->sk_max_ack_backlog); ++ return inet_csk_reqsk_queue_len(sk) > READ_ONCE(sk->sk_max_ack_backlog); + } + + bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req); +-- +2.39.5 + diff --git a/queue-6.1/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch b/queue-6.1/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch new file mode 100644 index 00000000000..ed9f455e346 --- /dev/null +++ b/queue-6.1/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch @@ -0,0 +1,40 @@ +From 74f3cb5b6b933532aa92491f06f58753c6854bed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Mar 2024 17:05:21 +0800 +Subject: tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog + +From: Jason Xing + +[ Upstream commit 9a79c65f00e2b036e17af3a3a607d7d732b7affb ] + +Since commit 099ecf59f05b ("net: annotate lockless accesses to +sk->sk_max_ack_backlog") decided to handle the sk_max_ack_backlog +locklessly, there is one more function mostly called in TCP/DCCP +cases. So this patch completes it:) + +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240331090521.71965-1-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 3479c7549fb1 ("tcp/dccp: allow a connection when sk_max_ack_backlog is zero") +Signed-off-by: Sasha Levin +--- + include/net/inet_connection_sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 4242f863f560..1611fb656ea9 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -281,7 +281,7 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk) + + static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) + { +- return inet_csk_reqsk_queue_len(sk) >= sk->sk_max_ack_backlog; ++ return inet_csk_reqsk_queue_len(sk) >= READ_ONCE(sk->sk_max_ack_backlog); + } + + bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req); +-- +2.39.5 + diff --git a/queue-6.1/tls-fix-tls_sw_sendmsg-error-handling.patch b/queue-6.1/tls-fix-tls_sw_sendmsg-error-handling.patch new file mode 100644 index 00000000000..4f1ec76016b --- /dev/null +++ b/queue-6.1/tls-fix-tls_sw_sendmsg-error-handling.patch @@ -0,0 +1,46 @@ +From ce8bd9fda4136e6987c0e4cf7e02648dd311ec8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jan 2025 10:29:45 -0500 +Subject: tls: Fix tls_sw_sendmsg error handling + +From: Benjamin Coddington + +[ Upstream commit b341ca51d2679829d26a3f6a4aa9aee9abd94f92 ] + +We've noticed that NFS can hang when using RPC over TLS on an unstable +connection, and investigation shows that the RPC layer is stuck in a tight +loop attempting to transmit, but forever getting -EBADMSG back from the +underlying network. The loop begins when tcp_sendmsg_locked() returns +-EPIPE to tls_tx_records(), but that error is converted to -EBADMSG when +calling the socket's error reporting handler. + +Instead of converting errors from tcp_sendmsg_locked(), let's pass them +along in this path. The RPC layer handles -EPIPE by reconnecting the +transport, which prevents the endless attempts to transmit on a broken +connection. + +Signed-off-by: Benjamin Coddington +Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") +Link: https://patch.msgid.link/9594185559881679d81f071b181a10eb07cd079f.1736004079.git.bcodding@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 348abadbc2d8..5310441240e7 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -452,7 +452,7 @@ int tls_tx_records(struct sock *sk, int flags) + + tx_err: + if (rc < 0 && rc != -EAGAIN) +- tls_err_abort(sk, -EBADMSG); ++ tls_err_abort(sk, rc); + + return rc; + } +-- +2.39.5 +