From: Sasha Levin Date: Mon, 12 Dec 2022 05:44:17 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.9.336~9 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2fe64c129597bf30fa8029514590611a331d1576;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/af_unix-get-user_ns-from-in_skb-in-unix_diag_get_exa.patch b/queue-5.4/af_unix-get-user_ns-from-in_skb-in-unix_diag_get_exa.patch new file mode 100644 index 00000000000..73686c75a25 --- /dev/null +++ b/queue-5.4/af_unix-get-user_ns-from-in_skb-in-unix_diag_get_exa.patch @@ -0,0 +1,166 @@ +From 9af95f652de631c0de00af82b660e9057499015d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Nov 2022 10:24:11 +0900 +Subject: af_unix: Get user_ns from in_skb in unix_diag_get_exact(). + +From: Kuniyuki Iwashima + +[ Upstream commit b3abe42e94900bdd045c472f9c9be620ba5ce553 ] + +Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed +the root cause: in unix_diag_get_exact(), the newly allocated skb does not +have sk. [2] + +We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to +sk_diag_fill(). + +[0]: +BUG: kernel NULL pointer dereference, address: 0000000000000270 +#PF: supervisor read access in kernel mode +#PF: error_code(0x0000) - not-present page +PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP +CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 +RIP: 0010:sk_user_ns include/net/sock.h:920 [inline] +RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline] +RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170 +Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8 +54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b +9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d +RSP: 0018:ffffc90000d67968 EFLAGS: 00010246 +RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d +RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270 +RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000 +R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800 +R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940 +FS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + unix_diag_get_exact net/unix/diag.c:285 [inline] + unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317 + __sock_diag_cmd net/core/sock_diag.c:235 [inline] + sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266 + netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564 + sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277 + netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] + netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356 + netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + ____sys_sendmsg+0x38f/0x500 net/socket.c:2476 + ___sys_sendmsg net/socket.c:2530 [inline] + __sys_sendmsg+0x197/0x230 net/socket.c:2559 + __do_sys_sendmsg net/socket.c:2568 [inline] + __se_sys_sendmsg net/socket.c:2566 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x4697f9 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9 +RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 +RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80 +R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0 + +Modules linked in: +CR2: 0000000000000270 + +[1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/ +[2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/ + +Fixes: cae9910e7344 ("net: Add UNIX_DIAG_UID to Netlink UNIX socket diagnostics.") +Reported-by: syzbot +Reported-by: Wei Chen +Diagnosed-by: Paolo Abeni +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 9ff64f9df1f3..951b33fa8f5c 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -113,14 +113,16 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb) + return nla_put(nlskb, UNIX_DIAG_RQLEN, sizeof(rql), &rql); + } + +-static int sk_diag_dump_uid(struct sock *sk, struct sk_buff *nlskb) ++static int sk_diag_dump_uid(struct sock *sk, struct sk_buff *nlskb, ++ struct user_namespace *user_ns) + { +- uid_t uid = from_kuid_munged(sk_user_ns(nlskb->sk), sock_i_uid(sk)); ++ uid_t uid = from_kuid_munged(user_ns, sock_i_uid(sk)); + return nla_put(nlskb, UNIX_DIAG_UID, sizeof(uid_t), &uid); + } + + static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_req *req, +- u32 portid, u32 seq, u32 flags, int sk_ino) ++ struct user_namespace *user_ns, ++ u32 portid, u32 seq, u32 flags, int sk_ino) + { + struct nlmsghdr *nlh; + struct unix_diag_msg *rep; +@@ -166,7 +168,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r + goto out_nlmsg_trim; + + if ((req->udiag_show & UDIAG_SHOW_UID) && +- sk_diag_dump_uid(sk, skb)) ++ sk_diag_dump_uid(sk, skb, user_ns)) + goto out_nlmsg_trim; + + nlmsg_end(skb, nlh); +@@ -178,7 +180,8 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r + } + + static int sk_diag_dump(struct sock *sk, struct sk_buff *skb, struct unix_diag_req *req, +- u32 portid, u32 seq, u32 flags) ++ struct user_namespace *user_ns, ++ u32 portid, u32 seq, u32 flags) + { + int sk_ino; + +@@ -189,7 +192,7 @@ static int sk_diag_dump(struct sock *sk, struct sk_buff *skb, struct unix_diag_r + if (!sk_ino) + return 0; + +- return sk_diag_fill(sk, skb, req, portid, seq, flags, sk_ino); ++ return sk_diag_fill(sk, skb, req, user_ns, portid, seq, flags, sk_ino); + } + + static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) +@@ -217,7 +220,7 @@ static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) + goto next; + if (!(req->udiag_states & (1 << sk->sk_state))) + goto next; +- if (sk_diag_dump(sk, skb, req, ++ if (sk_diag_dump(sk, skb, req, sk_user_ns(skb->sk), + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, + NLM_F_MULTI) < 0) +@@ -285,7 +288,8 @@ static int unix_diag_get_exact(struct sk_buff *in_skb, + if (!rep) + goto out; + +- err = sk_diag_fill(sk, rep, req, NETLINK_CB(in_skb).portid, ++ err = sk_diag_fill(sk, rep, req, sk_user_ns(NETLINK_CB(in_skb).sk), ++ NETLINK_CB(in_skb).portid, + nlh->nlmsg_seq, 0, req->udiag_ino); + if (err < 0) { + nlmsg_free(rep); +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch b/queue-5.4/bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch new file mode 100644 index 00000000000..dd990ea00e7 --- /dev/null +++ b/queue-5.4/bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch @@ -0,0 +1,35 @@ +From 4f4296d54d0c31005e4d44fd2b3a506f9ca9a88e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 17:37:26 +0800 +Subject: Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() + +From: Wang ShaoBo + +[ Upstream commit 747da1308bdd5021409974f9180f0d8ece53d142 ] + +hci_get_route() takes reference, we should use hci_dev_put() to release +it when not need anymore. + +Fixes: 6b8d4a6a0314 ("Bluetooth: 6LoWPAN: Use connected oriented channel instead of fixed one") +Signed-off-by: Wang ShaoBo +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/6lowpan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index 52fb6d6d6d58..bccad8c048da 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -1002,6 +1002,7 @@ static int get_l2cap_conn(char *buf, bdaddr_t *addr, u8 *addr_type, + hci_dev_lock(hdev); + hcon = hci_conn_hash_lookup_le(hdev, addr, *addr_type); + hci_dev_unlock(hdev); ++ hci_dev_put(hdev); + + if (!hcon) + return -ENOENT; +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-fix-not-cleanup-led-when-bt_init-fails.patch b/queue-5.4/bluetooth-fix-not-cleanup-led-when-bt_init-fails.patch new file mode 100644 index 00000000000..173904e3ea1 --- /dev/null +++ b/queue-5.4/bluetooth-fix-not-cleanup-led-when-bt_init-fails.patch @@ -0,0 +1,57 @@ +From 3b5a4ce106ce67f3016beabc2aef3b0230bc6dab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 17:25:56 +0800 +Subject: Bluetooth: Fix not cleanup led when bt_init fails + +From: Chen Zhongjin + +[ Upstream commit 2f3957c7eb4e07df944169a3e50a4d6790e1c744 ] + +bt_init() calls bt_leds_init() to register led, but if it fails later, +bt_leds_cleanup() is not called to unregister it. + +This can cause panic if the argument "bluetooth-power" in text is freed +and then another led_trigger_register() tries to access it: + +BUG: unable to handle page fault for address: ffffffffc06d3bc0 +RIP: 0010:strcmp+0xc/0x30 + Call Trace: + + led_trigger_register+0x10d/0x4f0 + led_trigger_register_simple+0x7d/0x100 + bt_init+0x39/0xf7 [bluetooth] + do_one_initcall+0xd0/0x4e0 + +Fixes: e64c97b53bc6 ("Bluetooth: Add combined LED trigger for controller power") +Signed-off-by: Chen Zhongjin +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/af_bluetooth.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c +index 5f508c50649d..8031526eeeee 100644 +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -735,7 +735,7 @@ static int __init bt_init(void) + + err = bt_sysfs_init(); + if (err < 0) +- return err; ++ goto cleanup_led; + + err = sock_register(&bt_sock_family_ops); + if (err) +@@ -771,6 +771,8 @@ static int __init bt_init(void) + sock_unregister(PF_BLUETOOTH); + cleanup_sysfs: + bt_sysfs_cleanup(); ++cleanup_led: ++ bt_leds_cleanup(); + return err; + } + +-- +2.35.1 + diff --git a/queue-5.4/ca8210-fix-crash-by-zero-initializing-data.patch b/queue-5.4/ca8210-fix-crash-by-zero-initializing-data.patch new file mode 100644 index 00000000000..1143a85c1ae --- /dev/null +++ b/queue-5.4/ca8210-fix-crash-by-zero-initializing-data.patch @@ -0,0 +1,40 @@ +From c76d277f0e713d25919b11469ecc1ed5bc642464 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 01:22:01 +0100 +Subject: ca8210: Fix crash by zero initializing data + +From: Hauke Mehrtens + +[ Upstream commit 1e24c54da257ab93cff5826be8a793b014a5dc9c ] + +The struct cas_control embeds multiple generic SPI structures and we +have to make sure these structures are initialized to default values. +This driver does not set all attributes. When using kmalloc before some +attributes were not initialized and contained random data which caused +random crashes at bootup. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Hauke Mehrtens +Link: https://lore.kernel.org/r/20221121002201.1339636-1-hauke@hauke-m.de +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 47959aadbc50..66cf09e637e4 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -926,7 +926,7 @@ static int ca8210_spi_transfer( + + dev_dbg(&spi->dev, "%s called\n", __func__); + +- cas_ctl = kmalloc(sizeof(*cas_ctl), GFP_ATOMIC); ++ cas_ctl = kzalloc(sizeof(*cas_ctl), GFP_ATOMIC); + if (!cas_ctl) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-5.4/can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch b/queue-5.4/can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch new file mode 100644 index 00000000000..a1d2a3ac2ae --- /dev/null +++ b/queue-5.4/can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch @@ -0,0 +1,55 @@ +From 9fe59188408f1effccc891decb36be4ec08fcd71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 21:22:42 +0100 +Subject: can: esd_usb: Allow REC and TEC to return to zero + +From: Frank Jungclaus + +[ Upstream commit 918ee4911f7a41fb4505dff877c1d7f9f64eb43e ] + +We don't get any further EVENT from an esd CAN USB device for changes +on REC or TEC while those counters converge to 0 (with ecc == 0). So +when handling the "Back to Error Active"-event force txerr = rxerr = +0, otherwise the berr-counters might stay on values like 95 forever. + +Also, to make life easier during the ongoing development a +netdev_dbg() has been introduced to allow dumping error events send by +an esd CAN USB device. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Signed-off-by: Frank Jungclaus +Link: https://lore.kernel.org/all/20221130202242.3998219-2-frank.jungclaus@esd.eu +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/esd_usb2.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c +index 8847942a8d97..73c5343e609b 100644 +--- a/drivers/net/can/usb/esd_usb2.c ++++ b/drivers/net/can/usb/esd_usb2.c +@@ -227,6 +227,10 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv, + u8 rxerr = msg->msg.rx.data[2]; + u8 txerr = msg->msg.rx.data[3]; + ++ netdev_dbg(priv->netdev, ++ "CAN_ERR_EV_EXT: dlc=%#02x state=%02x ecc=%02x rec=%02x tec=%02x\n", ++ msg->msg.rx.dlc, state, ecc, rxerr, txerr); ++ + skb = alloc_can_err_skb(priv->netdev, &cf); + if (skb == NULL) { + stats->rx_dropped++; +@@ -253,6 +257,8 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv, + break; + default: + priv->can.state = CAN_STATE_ERROR_ACTIVE; ++ txerr = 0; ++ rxerr = 0; + break; + } + } else { +-- +2.35.1 + diff --git a/queue-5.4/drm-bridge-ti-sn65dsi86-fix-output-polarity-setting-.patch b/queue-5.4/drm-bridge-ti-sn65dsi86-fix-output-polarity-setting-.patch new file mode 100644 index 00000000000..43640611626 --- /dev/null +++ b/queue-5.4/drm-bridge-ti-sn65dsi86-fix-output-polarity-setting-.patch @@ -0,0 +1,56 @@ +From 38b7e3f9618d8f880f3699e94aca2a438d546832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 18:45:58 +0800 +Subject: drm/bridge: ti-sn65dsi86: Fix output polarity setting bug + +From: Qiqi Zhang + +[ Upstream commit 8c115864501fc09932cdfec53d9ec1cde82b4a28 ] + +According to the description in ti-sn65dsi86's datasheet: + +CHA_HSYNC_POLARITY: +0 = Active High Pulse. Synchronization signal is high for the sync +pulse width. (default) +1 = Active Low Pulse. Synchronization signal is low for the sync +pulse width. + +CHA_VSYNC_POLARITY: +0 = Active High Pulse. Synchronization signal is high for the sync +pulse width. (Default) +1 = Active Low Pulse. Synchronization signal is low for the sync +pulse width. + +We should only set these bits when the polarity is negative. + +Fixes: a095f15c00e2 ("drm/bridge: add support for sn65dsi86 bridge driver") +Signed-off-by: Qiqi Zhang +Reviewed-by: Douglas Anderson +Tested-by: Douglas Anderson +Reviewed-by: Tomi Valkeinen +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20221125104558.84616-1-eddy.zhang@rock-chips.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index dbb4a374cb64..20ea1c6bc8bb 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -460,9 +460,9 @@ static void ti_sn_bridge_set_video_timings(struct ti_sn_bridge *pdata) + &pdata->bridge.encoder->crtc->state->adjusted_mode; + u8 hsync_polarity = 0, vsync_polarity = 0; + +- if (mode->flags & DRM_MODE_FLAG_PHSYNC) ++ if (mode->flags & DRM_MODE_FLAG_NHSYNC) + hsync_polarity = CHA_HSYNC_POLARITY; +- if (mode->flags & DRM_MODE_FLAG_PVSYNC) ++ if (mode->flags & DRM_MODE_FLAG_NVSYNC) + vsync_polarity = CHA_VSYNC_POLARITY; + + ti_sn_bridge_write_u16(pdata, SN_CHA_ACTIVE_LINE_LENGTH_LOW_REG, +-- +2.35.1 + diff --git a/queue-5.4/e1000e-fix-tx-dispatch-condition.patch b/queue-5.4/e1000e-fix-tx-dispatch-condition.patch new file mode 100644 index 00000000000..fcbe31aa344 --- /dev/null +++ b/queue-5.4/e1000e-fix-tx-dispatch-condition.patch @@ -0,0 +1,67 @@ +From 318c5d246d712931f1370259b626673ee64366b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 22:00:00 +0900 +Subject: e1000e: Fix TX dispatch condition + +From: Akihiko Odaki + +[ Upstream commit eed913f6919e253f35d454b2f115f2a4db2b741a ] + +e1000_xmit_frame is expected to stop the queue and dispatch frames to +hardware if there is not sufficient space for the next frame in the +buffer, but sometimes it failed to do so because the estimated maximum +size of frame was wrong. As the consequence, the later invocation of +e1000_xmit_frame failed with NETDEV_TX_BUSY, and the frame in the buffer +remained forever, resulting in a watchdog failure. + +This change fixes the estimated size by making it match with the +condition for NETDEV_TX_BUSY. Apparently, the old estimation failed to +account for the following lines which determines the space requirement +for not causing NETDEV_TX_BUSY: + ``` + /* reserve a descriptor for the offload context */ + if ((mss) || (skb->ip_summed == CHECKSUM_PARTIAL)) + count++; + count++; + + count += DIV_ROUND_UP(len, adapter->tx_fifo_limit); + ``` + +This issue was found when running http-stress02 test included in Linux +Test Project 20220930 on QEMU with the following commandline: +``` +qemu-system-x86_64 -M q35,accel=kvm -m 8G -smp 8 + -drive if=virtio,format=raw,file=root.img,file.locking=on + -device e1000e,netdev=netdev + -netdev tap,script=ifup,downscript=no,id=netdev +``` + +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Signed-off-by: Akihiko Odaki +Tested-by: Gurucharan G (A Contingent worker at Intel) +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index cbd83bb5c1ac..b0d43985724d 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5916,9 +5916,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb, + e1000_tx_queue(tx_ring, tx_flags, count); + /* Make sure there is space in the ring for the next send. */ + e1000_maybe_stop_tx(tx_ring, +- (MAX_SKB_FRAGS * ++ ((MAX_SKB_FRAGS + 1) * + DIV_ROUND_UP(PAGE_SIZE, +- adapter->tx_fifo_limit) + 2)); ++ adapter->tx_fifo_limit) + 4)); + + if (!netdev_xmit_more() || + netif_xmit_stopped(netdev_get_tx_queue(netdev, 0))) { +-- +2.35.1 + diff --git a/queue-5.4/ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch b/queue-5.4/ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch new file mode 100644 index 00000000000..6a26ff1d225 --- /dev/null +++ b/queue-5.4/ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch @@ -0,0 +1,39 @@ +From 6b3de86bdd6dc89bf000bf487b940e7832a21be5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Dec 2022 14:09:08 +0800 +Subject: ethernet: aeroflex: fix potential skb leak in greth_init_rings() + +From: Zhang Changzhong + +[ Upstream commit 063a932b64db3317ec020c94466fe52923a15f60 ] + +The greth_init_rings() function won't free the newly allocated skb when +dma_mapping_error() returns error, so add dev_kfree_skb() to fix it. + +Compile tested only. + +Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") +Signed-off-by: Zhang Changzhong +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/1670134149-29516-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aeroflex/greth.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c +index 907904c0a288..19e2b838750c 100644 +--- a/drivers/net/ethernet/aeroflex/greth.c ++++ b/drivers/net/ethernet/aeroflex/greth.c +@@ -258,6 +258,7 @@ static int greth_init_rings(struct greth_private *greth) + if (dma_mapping_error(greth->dev, dma_addr)) { + if (netif_msg_ifup(greth)) + dev_err(greth->dev, "Could not create initial DMA mapping\n"); ++ dev_kfree_skb(skb); + goto cleanup; + } + greth->rx_skbuff[i] = skb; +-- +2.35.1 + diff --git a/queue-5.4/gpio-amd8111-fix-pci-device-reference-count-leak.patch b/queue-5.4/gpio-amd8111-fix-pci-device-reference-count-leak.patch new file mode 100644 index 00000000000..3a624086595 --- /dev/null +++ b/queue-5.4/gpio-amd8111-fix-pci-device-reference-count-leak.patch @@ -0,0 +1,54 @@ +From 63daf6040635c2ad5ed290a7d4813fa52a9b3e0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 20:35:08 +0800 +Subject: gpio: amd8111: Fix PCI device reference count leak + +From: Xiongfeng Wang + +[ Upstream commit 45fecdb9f658d9c82960c98240bc0770ade19aca ] + +for_each_pci_dev() is implemented by pci_get_device(). The comment of +pci_get_device() says that it will increase the reference count for the +returned pci_dev and also decrease the reference count for the input +pci_dev @from if it is not NULL. + +If we break for_each_pci_dev() loop with pdev not NULL, we need to call +pci_dev_put() to decrease the reference count. Add the missing +pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL +input parameter, there is no problem for the 'Device not found' branch. +For the normal path, add pci_dev_put() in amd_gpio_exit(). + +Fixes: f942a7de047d ("gpio: add a driver for GPIO pins found on AMD-8111 south bridge chips") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-amd8111.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpio/gpio-amd8111.c b/drivers/gpio/gpio-amd8111.c +index fdcebe59510d..68d95051dd0e 100644 +--- a/drivers/gpio/gpio-amd8111.c ++++ b/drivers/gpio/gpio-amd8111.c +@@ -231,7 +231,10 @@ static int __init amd_gpio_init(void) + ioport_unmap(gp.pm); + goto out; + } ++ return 0; ++ + out: ++ pci_dev_put(pdev); + return err; + } + +@@ -239,6 +242,7 @@ static void __exit amd_gpio_exit(void) + { + gpiochip_remove(&gp.chip); + ioport_unmap(gp.pm); ++ pci_dev_put(gp.pdev); + } + + module_init(amd_gpio_init); +-- +2.35.1 + diff --git a/queue-5.4/i40e-disallow-ip4-and-ip6-l4_4_bytes.patch b/queue-5.4/i40e-disallow-ip4-and-ip6-l4_4_bytes.patch new file mode 100644 index 00000000000..be28b70787b --- /dev/null +++ b/queue-5.4/i40e-disallow-ip4-and-ip6-l4_4_bytes.patch @@ -0,0 +1,46 @@ +From 571bb95899cc7e05dc2dd3728c0498b5ecd0ac04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 09:49:25 +0100 +Subject: i40e: Disallow ip4 and ip6 l4_4_bytes + +From: Przemyslaw Patynowski + +[ Upstream commit d64aaf3f7869f915fd120763d75f11d6b116424d ] + +Return -EOPNOTSUPP, when user requests l4_4_bytes for raw IP4 or +IP6 flow director filters. Flow director does not support filtering +on l4 bytes for PCTYPEs used by IP4 and IP6 filters. +Without this patch, user could create filters with l4_4_bytes fields, +which did not do any filtering on L4, but only on L3 fields. + +Fixes: 36777d9fa24c ("i40e: check current configured input set when adding ntuple filters") +Signed-off-by: Przemyslaw Patynowski +Signed-off-by: Kamil Maziarz +Reviewed-by: Jacob Keller +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index 7059ced24739..95a6f8689b6f 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -4233,11 +4233,7 @@ static int i40e_check_fdir_input_set(struct i40e_vsi *vsi, + return -EOPNOTSUPP; + + /* First 4 bytes of L4 header */ +- if (usr_ip4_spec->l4_4_bytes == htonl(0xFFFFFFFF)) +- new_mask |= I40E_L4_SRC_MASK | I40E_L4_DST_MASK; +- else if (!usr_ip4_spec->l4_4_bytes) +- new_mask &= ~(I40E_L4_SRC_MASK | I40E_L4_DST_MASK); +- else ++ if (usr_ip4_spec->l4_4_bytes) + return -EOPNOTSUPP; + + /* Filtering on Type of Service is not supported. */ +-- +2.35.1 + diff --git a/queue-5.4/i40e-fix-for-vf-mac-address-0.patch b/queue-5.4/i40e-fix-for-vf-mac-address-0.patch new file mode 100644 index 00000000000..0a15dc7f5f4 --- /dev/null +++ b/queue-5.4/i40e-fix-for-vf-mac-address-0.patch @@ -0,0 +1,49 @@ +From 0f997bdcee2a4f1bf1c9c16e364473300f151a8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 13:00:28 +0100 +Subject: i40e: Fix for VF MAC address 0 + +From: Sylwester Dziedziuch + +[ Upstream commit 08501970472077ed5de346ad89943a37d1692e9b ] + +After spawning max VFs on a PF, some VFs were not getting resources and +their MAC addresses were 0. This was caused by PF sleeping before flushing +HW registers which caused VIRTCHNL_VFR_VFACTIVE to not be set in time for +VF. + +Fix by adding a sleep after hw flush. + +Fixes: e4b433f4a741 ("i40e: reset all VFs in parallel when rebuilding PF") +Signed-off-by: Sylwester Dziedziuch +Signed-off-by: Jan Sokolowski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index fb060e3253d9..be07148a7b29 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -1394,6 +1394,7 @@ bool i40e_reset_vf(struct i40e_vf *vf, bool flr) + i40e_cleanup_reset_vf(vf); + + i40e_flush(hw); ++ usleep_range(20000, 40000); + clear_bit(I40E_VF_STATE_RESETTING, &vf->vf_states); + + return true; +@@ -1517,6 +1518,7 @@ bool i40e_reset_all_vfs(struct i40e_pf *pf, bool flr) + } + + i40e_flush(hw); ++ usleep_range(20000, 40000); + clear_bit(__I40E_VF_DISABLE, pf->state); + + return true; +-- +2.35.1 + diff --git a/queue-5.4/i40e-fix-not-setting-default-xps_cpus-after-reset.patch b/queue-5.4/i40e-fix-not-setting-default-xps_cpus-after-reset.patch new file mode 100644 index 00000000000..cf612c22e10 --- /dev/null +++ b/queue-5.4/i40e-fix-not-setting-default-xps_cpus-after-reset.patch @@ -0,0 +1,72 @@ +From 2ae8c1c01d31cc875057aaaec595717b6fc4427f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Oct 2022 10:19:42 +0200 +Subject: i40e: Fix not setting default xps_cpus after reset + +From: Michal Jaron + +[ Upstream commit 82e0572b23029b380464fa9fdc125db9c1506d0a ] + +During tx rings configuration default XPS queue config is set and +__I40E_TX_XPS_INIT_DONE is locked. __I40E_TX_XPS_INIT_DONE state is +cleared and set again with default mapping only during queues build, +it means after first setup or reset with queues rebuild. (i.e. +ethtool -L combined ) After other resets (i.e. +ethtool -t ) XPS_INIT_DONE is not cleared and those default +maps cannot be set again. It results in cleared xps_cpus mapping +until queues are not rebuild or mapping is not set by user. + +Add clearing __I40E_TX_XPS_INIT_DONE state during reset to let +the driver set xps_cpus to defaults again after it was cleared. + +Fixes: 6f853d4f8e93 ("i40e: allow XPS with QoS enabled") +Signed-off-by: Michal Jaron +Signed-off-by: Kamil Maziarz +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 15f177185d71..d612b23c2e3f 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -9953,6 +9953,21 @@ static int i40e_rebuild_channels(struct i40e_vsi *vsi) + return 0; + } + ++/** ++ * i40e_clean_xps_state - clean xps state for every tx_ring ++ * @vsi: ptr to the VSI ++ **/ ++static void i40e_clean_xps_state(struct i40e_vsi *vsi) ++{ ++ int i; ++ ++ if (vsi->tx_rings) ++ for (i = 0; i < vsi->num_queue_pairs; i++) ++ if (vsi->tx_rings[i]) ++ clear_bit(__I40E_TX_XPS_INIT_DONE, ++ vsi->tx_rings[i]->state); ++} ++ + /** + * i40e_prep_for_reset - prep for the core to reset + * @pf: board private structure +@@ -9984,8 +9999,10 @@ static void i40e_prep_for_reset(struct i40e_pf *pf, bool lock_acquired) + rtnl_unlock(); + + for (v = 0; v < pf->num_alloc_vsi; v++) { +- if (pf->vsi[v]) ++ if (pf->vsi[v]) { ++ i40e_clean_xps_state(pf->vsi[v]); + pf->vsi[v]->seid = 0; ++ } + } + + i40e_shutdown_adminq(&pf->hw); +-- +2.35.1 + diff --git a/queue-5.4/ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch b/queue-5.4/ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch new file mode 100644 index 00000000000..2c0817ba9ca --- /dev/null +++ b/queue-5.4/ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch @@ -0,0 +1,37 @@ +From 33ae0e36f1bdb636ed0b2796116f4d0371f73d96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 15:50:46 +0800 +Subject: ieee802154: cc2520: Fix error return code in cc2520_hw_init() + +From: Ziyang Xuan + +[ Upstream commit 4d002d6a2a00ac1c433899bd7625c6400a74cfba ] + +In cc2520_hw_init(), if oscillator start failed, the error code +should be returned. + +Fixes: 0da6bc8cc341 ("ieee802154: cc2520: adds driver for TI CC2520 radio") +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/r/20221120075046.2213633-1-william.xuanziyang@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/cc2520.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/cc2520.c b/drivers/net/ieee802154/cc2520.c +index 0432a4f829a9..9739a6ed91ad 100644 +--- a/drivers/net/ieee802154/cc2520.c ++++ b/drivers/net/ieee802154/cc2520.c +@@ -973,7 +973,7 @@ static int cc2520_hw_init(struct cc2520_private *priv) + + if (timeout-- <= 0) { + dev_err(&priv->spi->dev, "oscillator start failed!\n"); +- return ret; ++ return -ETIMEDOUT; + } + udelay(1); + } while (!(status & CC2520_STATUS_XOSC32M_STABLE)); +-- +2.35.1 + diff --git a/queue-5.4/igb-allocate-msi-x-vector-when-testing.patch b/queue-5.4/igb-allocate-msi-x-vector-when-testing.patch new file mode 100644 index 00000000000..ac2e62112de --- /dev/null +++ b/queue-5.4/igb-allocate-msi-x-vector-when-testing.patch @@ -0,0 +1,69 @@ +From 8df4988a6ef6b1e564f9e487c3b4400e0803aa26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 22:30:31 +0900 +Subject: igb: Allocate MSI-X vector when testing + +From: Akihiko Odaki + +[ Upstream commit 28e96556baca7056d11d9fb3cdd0aba4483e00d8 ] + +Without this change, the interrupt test fail with MSI-X environment: + +$ sudo ethtool -t enp0s2 offline +[ 43.921783] igb 0000:00:02.0: offline testing starting +[ 44.855824] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Down +[ 44.961249] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX +[ 51.272202] igb 0000:00:02.0: testing shared interrupt +[ 56.996975] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX +The test result is FAIL +The test extra info: +Register test (offline) 0 +Eeprom test (offline) 0 +Interrupt test (offline) 4 +Loopback test (offline) 0 +Link test (on/offline) 0 + +Here, "4" means an expected interrupt was not delivered. + +To fix this, route IRQs correctly to the first MSI-X vector by setting +IVAR_MISC. Also, set bit 0 of EIMS so that the vector will not be +masked. The interrupt test now runs properly with this change: + +$ sudo ethtool -t enp0s2 offline +[ 42.762985] igb 0000:00:02.0: offline testing starting +[ 50.141967] igb 0000:00:02.0: testing shared interrupt +[ 56.163957] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX +The test result is PASS +The test extra info: +Register test (offline) 0 +Eeprom test (offline) 0 +Interrupt test (offline) 0 +Loopback test (offline) 0 +Link test (on/offline) 0 + +Fixes: 4eefa8f01314 ("igb: add single vector msi-x testing to interrupt test") +Signed-off-by: Akihiko Odaki +Reviewed-by: Maciej Fijalkowski +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c +index f80933320fd3..6196f9bbd67d 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c ++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c +@@ -1402,6 +1402,8 @@ static int igb_intr_test(struct igb_adapter *adapter, u64 *data) + *data = 1; + return -1; + } ++ wr32(E1000_IVAR_MISC, E1000_IVAR_VALID << 8); ++ wr32(E1000_EIMS, BIT(0)); + } else if (adapter->flags & IGB_FLAG_HAS_MSI) { + shared_int = false; + if (request_irq(irq, +-- +2.35.1 + diff --git a/queue-5.4/ipv4-fix-incorrect-route-flushing-when-source-addres.patch b/queue-5.4/ipv4-fix-incorrect-route-flushing-when-source-addres.patch new file mode 100644 index 00000000000..d77f2cef8e1 --- /dev/null +++ b/queue-5.4/ipv4-fix-incorrect-route-flushing-when-source-addres.patch @@ -0,0 +1,1816 @@ +From 98af4de92a6e04f17537c9b1475605833cd03a37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Dec 2022 09:50:44 +0200 +Subject: ipv4: Fix incorrect route flushing when source address is deleted + +From: Ido Schimmel + +[ Upstream commit f96a3d74554df537b6db5c99c27c80e7afadc8d1 ] + +Cited commit added the table ID to the FIB info structure, but did not +prevent structures with different table IDs from being consolidated. +This can lead to routes being flushed from a VRF when an address is +deleted from a different VRF. + +Fix by taking the table ID into account when looking for a matching FIB +info. This is already done for FIB info structures backed by a nexthop +object in fib_find_info_nh(). + +Add test cases that fail before the fix: + + # ./fib_tests.sh -t ipv4_del_addr + + IPv4 delete address route tests + Regular FIB info + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Identical FIB info with different table ID + TEST: Route removed from VRF when source address deleted [FAIL] + TEST: Route in default VRF not removed [ OK ] + RTNETLINK answers: File exists + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [FAIL] + + Tests passed: 6 + Tests failed: 2 + +And pass after: + + # ./fib_tests.sh -t ipv4_del_addr + + IPv4 delete address route tests + Regular FIB info + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Identical FIB info with different table ID + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + + Tests passed: 8 + Tests failed: 0 + +Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_semantics.c | 1 + + tools/testing/selftests/net/fib_tests.sh | 1727 ---------------------- + 2 files changed, 1 insertion(+), 1727 deletions(-) + delete mode 100755 tools/testing/selftests/net/fib_tests.sh + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 908913d75847..f45b9daf62cf 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -420,6 +420,7 @@ static struct fib_info *fib_find_info(struct fib_info *nfi) + nfi->fib_prefsrc == fi->fib_prefsrc && + nfi->fib_priority == fi->fib_priority && + nfi->fib_type == fi->fib_type && ++ nfi->fib_tb_id == fi->fib_tb_id && + memcmp(nfi->fib_metrics, fi->fib_metrics, + sizeof(u32) * RTAX_MAX) == 0 && + !((nfi->fib_flags ^ fi->fib_flags) & ~RTNH_COMPARE_MASK) && +diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh +deleted file mode 100755 +index 6986086035d6..000000000000 +--- a/tools/testing/selftests/net/fib_tests.sh ++++ /dev/null +@@ -1,1727 +0,0 @@ +-#!/bin/bash +-# SPDX-License-Identifier: GPL-2.0 +- +-# This test is for checking IPv4 and IPv6 FIB behavior in response to +-# different events. +- +-ret=0 +-# Kselftest framework requirement - SKIP code is 4. +-ksft_skip=4 +- +-# all tests in this script. Can be overridden with -t option +-TESTS="unregister down carrier nexthop suppress ipv6_rt ipv4_rt ipv6_addr_metric ipv4_addr_metric ipv6_route_metrics ipv4_route_metrics ipv4_route_v6_gw rp_filter" +- +-VERBOSE=0 +-PAUSE_ON_FAIL=no +-PAUSE=no +-IP="ip -netns ns1" +-NS_EXEC="ip netns exec ns1" +- +-which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) +- +-log_test() +-{ +- local rc=$1 +- local expected=$2 +- local msg="$3" +- +- if [ ${rc} -eq ${expected} ]; then +- printf " TEST: %-60s [ OK ]\n" "${msg}" +- nsuccess=$((nsuccess+1)) +- else +- ret=1 +- nfail=$((nfail+1)) +- printf " TEST: %-60s [FAIL]\n" "${msg}" +- if [ "${PAUSE_ON_FAIL}" = "yes" ]; then +- echo +- echo "hit enter to continue, 'q' to quit" +- read a +- [ "$a" = "q" ] && exit 1 +- fi +- fi +- +- if [ "${PAUSE}" = "yes" ]; then +- echo +- echo "hit enter to continue, 'q' to quit" +- read a +- [ "$a" = "q" ] && exit 1 +- fi +-} +- +-setup() +-{ +- set -e +- ip netns add ns1 +- ip netns set ns1 auto +- $IP link set dev lo up +- ip netns exec ns1 sysctl -qw net.ipv4.ip_forward=1 +- ip netns exec ns1 sysctl -qw net.ipv6.conf.all.forwarding=1 +- +- $IP link add dummy0 type dummy +- $IP link set dev dummy0 up +- $IP address add 198.51.100.1/24 dev dummy0 +- $IP -6 address add 2001:db8:1::1/64 dev dummy0 +- set +e +- +-} +- +-cleanup() +-{ +- $IP link del dev dummy0 &> /dev/null +- ip netns del ns1 +- ip netns del ns2 &> /dev/null +-} +- +-get_linklocal() +-{ +- local dev=$1 +- local addr +- +- addr=$($IP -6 -br addr show dev ${dev} | \ +- awk '{ +- for (i = 3; i <= NF; ++i) { +- if ($i ~ /^fe80/) +- print $i +- } +- }' +- ) +- addr=${addr/\/*} +- +- [ -z "$addr" ] && return 1 +- +- echo $addr +- +- return 0 +-} +- +-fib_unreg_unicast_test() +-{ +- echo +- echo "Single path route test" +- +- setup +- +- echo " Start point" +- $IP route get fibmatch 198.51.100.2 &> /dev/null +- log_test $? 0 "IPv4 fibmatch" +- $IP -6 route get fibmatch 2001:db8:1::2 &> /dev/null +- log_test $? 0 "IPv6 fibmatch" +- +- set -e +- $IP link del dev dummy0 +- set +e +- +- echo " Nexthop device deleted" +- $IP route get fibmatch 198.51.100.2 &> /dev/null +- log_test $? 2 "IPv4 fibmatch - no route" +- $IP -6 route get fibmatch 2001:db8:1::2 &> /dev/null +- log_test $? 2 "IPv6 fibmatch - no route" +- +- cleanup +-} +- +-fib_unreg_multipath_test() +-{ +- +- echo +- echo "Multipath route test" +- +- setup +- +- set -e +- $IP link add dummy1 type dummy +- $IP link set dev dummy1 up +- $IP address add 192.0.2.1/24 dev dummy1 +- $IP -6 address add 2001:db8:2::1/64 dev dummy1 +- +- $IP route add 203.0.113.0/24 \ +- nexthop via 198.51.100.2 dev dummy0 \ +- nexthop via 192.0.2.2 dev dummy1 +- $IP -6 route add 2001:db8:3::/64 \ +- nexthop via 2001:db8:1::2 dev dummy0 \ +- nexthop via 2001:db8:2::2 dev dummy1 +- set +e +- +- echo " Start point" +- $IP route get fibmatch 203.0.113.1 &> /dev/null +- log_test $? 0 "IPv4 fibmatch" +- $IP -6 route get fibmatch 2001:db8:3::1 &> /dev/null +- log_test $? 0 "IPv6 fibmatch" +- +- set -e +- $IP link del dev dummy0 +- set +e +- +- echo " One nexthop device deleted" +- $IP route get fibmatch 203.0.113.1 &> /dev/null +- log_test $? 2 "IPv4 - multipath route removed on delete" +- +- $IP -6 route get fibmatch 2001:db8:3::1 &> /dev/null +- # In IPv6 we do not flush the entire multipath route. +- log_test $? 0 "IPv6 - multipath down to single path" +- +- set -e +- $IP link del dev dummy1 +- set +e +- +- echo " Second nexthop device deleted" +- $IP -6 route get fibmatch 2001:db8:3::1 &> /dev/null +- log_test $? 2 "IPv6 - no route" +- +- cleanup +-} +- +-fib_unreg_test() +-{ +- fib_unreg_unicast_test +- fib_unreg_multipath_test +-} +- +-fib_down_unicast_test() +-{ +- echo +- echo "Single path, admin down" +- +- setup +- +- echo " Start point" +- $IP route get fibmatch 198.51.100.2 &> /dev/null +- log_test $? 0 "IPv4 fibmatch" +- $IP -6 route get fibmatch 2001:db8:1::2 &> /dev/null +- log_test $? 0 "IPv6 fibmatch" +- +- set -e +- $IP link set dev dummy0 down +- set +e +- +- echo " Route deleted on down" +- $IP route get fibmatch 198.51.100.2 &> /dev/null +- log_test $? 2 "IPv4 fibmatch" +- $IP -6 route get fibmatch 2001:db8:1::2 &> /dev/null +- log_test $? 2 "IPv6 fibmatch" +- +- cleanup +-} +- +-fib_down_multipath_test_do() +-{ +- local down_dev=$1 +- local up_dev=$2 +- +- $IP route get fibmatch 203.0.113.1 \ +- oif $down_dev &> /dev/null +- log_test $? 2 "IPv4 fibmatch on down device" +- $IP -6 route get fibmatch 2001:db8:3::1 \ +- oif $down_dev &> /dev/null +- log_test $? 2 "IPv6 fibmatch on down device" +- +- $IP route get fibmatch 203.0.113.1 \ +- oif $up_dev &> /dev/null +- log_test $? 0 "IPv4 fibmatch on up device" +- $IP -6 route get fibmatch 2001:db8:3::1 \ +- oif $up_dev &> /dev/null +- log_test $? 0 "IPv6 fibmatch on up device" +- +- $IP route get fibmatch 203.0.113.1 | \ +- grep $down_dev | grep -q "dead linkdown" +- log_test $? 0 "IPv4 flags on down device" +- $IP -6 route get fibmatch 2001:db8:3::1 | \ +- grep $down_dev | grep -q "dead linkdown" +- log_test $? 0 "IPv6 flags on down device" +- +- $IP route get fibmatch 203.0.113.1 | \ +- grep $up_dev | grep -q "dead linkdown" +- log_test $? 1 "IPv4 flags on up device" +- $IP -6 route get fibmatch 2001:db8:3::1 | \ +- grep $up_dev | grep -q "dead linkdown" +- log_test $? 1 "IPv6 flags on up device" +-} +- +-fib_down_multipath_test() +-{ +- echo +- echo "Admin down multipath" +- +- setup +- +- set -e +- $IP link add dummy1 type dummy +- $IP link set dev dummy1 up +- +- $IP address add 192.0.2.1/24 dev dummy1 +- $IP -6 address add 2001:db8:2::1/64 dev dummy1 +- +- $IP route add 203.0.113.0/24 \ +- nexthop via 198.51.100.2 dev dummy0 \ +- nexthop via 192.0.2.2 dev dummy1 +- $IP -6 route add 2001:db8:3::/64 \ +- nexthop via 2001:db8:1::2 dev dummy0 \ +- nexthop via 2001:db8:2::2 dev dummy1 +- set +e +- +- echo " Verify start point" +- $IP route get fibmatch 203.0.113.1 &> /dev/null +- log_test $? 0 "IPv4 fibmatch" +- +- $IP -6 route get fibmatch 2001:db8:3::1 &> /dev/null +- log_test $? 0 "IPv6 fibmatch" +- +- set -e +- $IP link set dev dummy0 down +- set +e +- +- echo " One device down, one up" +- fib_down_multipath_test_do "dummy0" "dummy1" +- +- set -e +- $IP link set dev dummy0 up +- $IP link set dev dummy1 down +- set +e +- +- echo " Other device down and up" +- fib_down_multipath_test_do "dummy1" "dummy0" +- +- set -e +- $IP link set dev dummy0 down +- set +e +- +- echo " Both devices down" +- $IP route get fibmatch 203.0.113.1 &> /dev/null +- log_test $? 2 "IPv4 fibmatch" +- $IP -6 route get fibmatch 2001:db8:3::1 &> /dev/null +- log_test $? 2 "IPv6 fibmatch" +- +- $IP link del dev dummy1 +- cleanup +-} +- +-fib_down_test() +-{ +- fib_down_unicast_test +- fib_down_multipath_test +-} +- +-# Local routes should not be affected when carrier changes. +-fib_carrier_local_test() +-{ +- echo +- echo "Local carrier tests - single path" +- +- setup +- +- set -e +- $IP link set dev dummy0 carrier on +- set +e +- +- echo " Start point" +- $IP route get fibmatch 198.51.100.1 &> /dev/null +- log_test $? 0 "IPv4 fibmatch" +- $IP -6 route get fibmatch 2001:db8:1::1 &> /dev/null +- log_test $? 0 "IPv6 fibmatch" +- +- $IP route get fibmatch 198.51.100.1 | \ +- grep -q "linkdown" +- log_test $? 1 "IPv4 - no linkdown flag" +- $IP -6 route get fibmatch 2001:db8:1::1 | \ +- grep -q "linkdown" +- log_test $? 1 "IPv6 - no linkdown flag" +- +- set -e +- $IP link set dev dummy0 carrier off +- sleep 1 +- set +e +- +- echo " Carrier off on nexthop" +- $IP route get fibmatch 198.51.100.1 &> /dev/null +- log_test $? 0 "IPv4 fibmatch" +- $IP -6 route get fibmatch 2001:db8:1::1 &> /dev/null +- log_test $? 0 "IPv6 fibmatch" +- +- $IP route get fibmatch 198.51.100.1 | \ +- grep -q "linkdown" +- log_test $? 1 "IPv4 - linkdown flag set" +- $IP -6 route get fibmatch 2001:db8:1::1 | \ +- grep -q "linkdown" +- log_test $? 1 "IPv6 - linkdown flag set" +- +- set -e +- $IP address add 192.0.2.1/24 dev dummy0 +- $IP -6 address add 2001:db8:2::1/64 dev dummy0 +- set +e +- +- echo " Route to local address with carrier down" +- $IP route get fibmatch 192.0.2.1 &> /dev/null +- log_test $? 0 "IPv4 fibmatch" +- $IP -6 route get fibmatch 2001:db8:2::1 &> /dev/null +- log_test $? 0 "IPv6 fibmatch" +- +- $IP route get fibmatch 192.0.2.1 | \ +- grep -q "linkdown" +- log_test $? 1 "IPv4 linkdown flag set" +- $IP -6 route get fibmatch 2001:db8:2::1 | \ +- grep -q "linkdown" +- log_test $? 1 "IPv6 linkdown flag set" +- +- cleanup +-} +- +-fib_carrier_unicast_test() +-{ +- ret=0 +- +- echo +- echo "Single path route carrier test" +- +- setup +- +- set -e +- $IP link set dev dummy0 carrier on +- set +e +- +- echo " Start point" +- $IP route get fibmatch 198.51.100.2 &> /dev/null +- log_test $? 0 "IPv4 fibmatch" +- $IP -6 route get fibmatch 2001:db8:1::2 &> /dev/null +- log_test $? 0 "IPv6 fibmatch" +- +- $IP route get fibmatch 198.51.100.2 | \ +- grep -q "linkdown" +- log_test $? 1 "IPv4 no linkdown flag" +- $IP -6 route get fibmatch 2001:db8:1::2 | \ +- grep -q "linkdown" +- log_test $? 1 "IPv6 no linkdown flag" +- +- set -e +- $IP link set dev dummy0 carrier off +- sleep 1 +- set +e +- +- echo " Carrier down" +- $IP route get fibmatch 198.51.100.2 &> /dev/null +- log_test $? 0 "IPv4 fibmatch" +- $IP -6 route get fibmatch 2001:db8:1::2 &> /dev/null +- log_test $? 0 "IPv6 fibmatch" +- +- $IP route get fibmatch 198.51.100.2 | \ +- grep -q "linkdown" +- log_test $? 0 "IPv4 linkdown flag set" +- $IP -6 route get fibmatch 2001:db8:1::2 | \ +- grep -q "linkdown" +- log_test $? 0 "IPv6 linkdown flag set" +- +- set -e +- $IP address add 192.0.2.1/24 dev dummy0 +- $IP -6 address add 2001:db8:2::1/64 dev dummy0 +- set +e +- +- echo " Second address added with carrier down" +- $IP route get fibmatch 192.0.2.2 &> /dev/null +- log_test $? 0 "IPv4 fibmatch" +- $IP -6 route get fibmatch 2001:db8:2::2 &> /dev/null +- log_test $? 0 "IPv6 fibmatch" +- +- $IP route get fibmatch 192.0.2.2 | \ +- grep -q "linkdown" +- log_test $? 0 "IPv4 linkdown flag set" +- $IP -6 route get fibmatch 2001:db8:2::2 | \ +- grep -q "linkdown" +- log_test $? 0 "IPv6 linkdown flag set" +- +- cleanup +-} +- +-fib_carrier_test() +-{ +- fib_carrier_local_test +- fib_carrier_unicast_test +-} +- +-fib_rp_filter_test() +-{ +- echo +- echo "IPv4 rp_filter tests" +- +- setup +- +- set -e +- ip netns add ns2 +- ip netns set ns2 auto +- +- ip -netns ns2 link set dev lo up +- +- $IP link add name veth1 type veth peer name veth2 +- $IP link set dev veth2 netns ns2 +- $IP address add 192.0.2.1/24 dev veth1 +- ip -netns ns2 address add 192.0.2.1/24 dev veth2 +- $IP link set dev veth1 up +- ip -netns ns2 link set dev veth2 up +- +- $IP link set dev lo address 52:54:00:6a:c7:5e +- $IP link set dev veth1 address 52:54:00:6a:c7:5e +- ip -netns ns2 link set dev lo address 52:54:00:6a:c7:5e +- ip -netns ns2 link set dev veth2 address 52:54:00:6a:c7:5e +- +- # 1. (ns2) redirect lo's egress to veth2's egress +- ip netns exec ns2 tc qdisc add dev lo parent root handle 1: fq_codel +- ip netns exec ns2 tc filter add dev lo parent 1: protocol arp basic \ +- action mirred egress redirect dev veth2 +- ip netns exec ns2 tc filter add dev lo parent 1: protocol ip basic \ +- action mirred egress redirect dev veth2 +- +- # 2. (ns1) redirect veth1's ingress to lo's ingress +- $NS_EXEC tc qdisc add dev veth1 ingress +- $NS_EXEC tc filter add dev veth1 ingress protocol arp basic \ +- action mirred ingress redirect dev lo +- $NS_EXEC tc filter add dev veth1 ingress protocol ip basic \ +- action mirred ingress redirect dev lo +- +- # 3. (ns1) redirect lo's egress to veth1's egress +- $NS_EXEC tc qdisc add dev lo parent root handle 1: fq_codel +- $NS_EXEC tc filter add dev lo parent 1: protocol arp basic \ +- action mirred egress redirect dev veth1 +- $NS_EXEC tc filter add dev lo parent 1: protocol ip basic \ +- action mirred egress redirect dev veth1 +- +- # 4. (ns2) redirect veth2's ingress to lo's ingress +- ip netns exec ns2 tc qdisc add dev veth2 ingress +- ip netns exec ns2 tc filter add dev veth2 ingress protocol arp basic \ +- action mirred ingress redirect dev lo +- ip netns exec ns2 tc filter add dev veth2 ingress protocol ip basic \ +- action mirred ingress redirect dev lo +- +- $NS_EXEC sysctl -qw net.ipv4.conf.all.rp_filter=1 +- $NS_EXEC sysctl -qw net.ipv4.conf.all.accept_local=1 +- $NS_EXEC sysctl -qw net.ipv4.conf.all.route_localnet=1 +- ip netns exec ns2 sysctl -qw net.ipv4.conf.all.rp_filter=1 +- ip netns exec ns2 sysctl -qw net.ipv4.conf.all.accept_local=1 +- ip netns exec ns2 sysctl -qw net.ipv4.conf.all.route_localnet=1 +- set +e +- +- run_cmd "ip netns exec ns2 ping -w1 -c1 192.0.2.1" +- log_test $? 0 "rp_filter passes local packets" +- +- run_cmd "ip netns exec ns2 ping -w1 -c1 127.0.0.1" +- log_test $? 0 "rp_filter passes loopback packets" +- +- cleanup +-} +- +-################################################################################ +-# Tests on nexthop spec +- +-# run 'ip route add' with given spec +-add_rt() +-{ +- local desc="$1" +- local erc=$2 +- local vrf=$3 +- local pfx=$4 +- local gw=$5 +- local dev=$6 +- local cmd out rc +- +- [ "$vrf" = "-" ] && vrf="default" +- [ -n "$gw" ] && gw="via $gw" +- [ -n "$dev" ] && dev="dev $dev" +- +- cmd="$IP route add vrf $vrf $pfx $gw $dev" +- if [ "$VERBOSE" = "1" ]; then +- printf "\n COMMAND: $cmd\n" +- fi +- +- out=$(eval $cmd 2>&1) +- rc=$? +- if [ "$VERBOSE" = "1" -a -n "$out" ]; then +- echo " $out" +- fi +- log_test $rc $erc "$desc" +-} +- +-fib4_nexthop() +-{ +- echo +- echo "IPv4 nexthop tests" +- +- echo "<<< write me >>>" +-} +- +-fib6_nexthop() +-{ +- local lldummy=$(get_linklocal dummy0) +- local llv1=$(get_linklocal dummy0) +- +- if [ -z "$lldummy" ]; then +- echo "Failed to get linklocal address for dummy0" +- return 1 +- fi +- if [ -z "$llv1" ]; then +- echo "Failed to get linklocal address for veth1" +- return 1 +- fi +- +- echo +- echo "IPv6 nexthop tests" +- +- add_rt "Directly connected nexthop, unicast address" 0 \ +- - 2001:db8:101::/64 2001:db8:1::2 +- add_rt "Directly connected nexthop, unicast address with device" 0 \ +- - 2001:db8:102::/64 2001:db8:1::2 "dummy0" +- add_rt "Gateway is linklocal address" 0 \ +- - 2001:db8:103::1/64 $llv1 "veth0" +- +- # fails because LL address requires a device +- add_rt "Gateway is linklocal address, no device" 2 \ +- - 2001:db8:104::1/64 $llv1 +- +- # local address can not be a gateway +- add_rt "Gateway can not be local unicast address" 2 \ +- - 2001:db8:105::/64 2001:db8:1::1 +- add_rt "Gateway can not be local unicast address, with device" 2 \ +- - 2001:db8:106::/64 2001:db8:1::1 "dummy0" +- add_rt "Gateway can not be a local linklocal address" 2 \ +- - 2001:db8:107::1/64 $lldummy "dummy0" +- +- # VRF tests +- add_rt "Gateway can be local address in a VRF" 0 \ +- - 2001:db8:108::/64 2001:db8:51::2 +- add_rt "Gateway can be local address in a VRF, with device" 0 \ +- - 2001:db8:109::/64 2001:db8:51::2 "veth0" +- add_rt "Gateway can be local linklocal address in a VRF" 0 \ +- - 2001:db8:110::1/64 $llv1 "veth0" +- +- add_rt "Redirect to VRF lookup" 0 \ +- - 2001:db8:111::/64 "" "red" +- +- add_rt "VRF route, gateway can be local address in default VRF" 0 \ +- red 2001:db8:112::/64 2001:db8:51::1 +- +- # local address in same VRF fails +- add_rt "VRF route, gateway can not be a local address" 2 \ +- red 2001:db8:113::1/64 2001:db8:2::1 +- add_rt "VRF route, gateway can not be a local addr with device" 2 \ +- red 2001:db8:114::1/64 2001:db8:2::1 "dummy1" +-} +- +-# Default VRF: +-# dummy0 - 198.51.100.1/24 2001:db8:1::1/64 +-# veth0 - 192.0.2.1/24 2001:db8:51::1/64 +-# +-# VRF red: +-# dummy1 - 192.168.2.1/24 2001:db8:2::1/64 +-# veth1 - 192.0.2.2/24 2001:db8:51::2/64 +-# +-# [ dummy0 veth0 ]--[ veth1 dummy1 ] +- +-fib_nexthop_test() +-{ +- setup +- +- set -e +- +- $IP -4 rule add pref 32765 table local +- $IP -4 rule del pref 0 +- $IP -6 rule add pref 32765 table local +- $IP -6 rule del pref 0 +- +- $IP link add red type vrf table 1 +- $IP link set red up +- $IP -4 route add vrf red unreachable default metric 4278198272 +- $IP -6 route add vrf red unreachable default metric 4278198272 +- +- $IP link add veth0 type veth peer name veth1 +- $IP link set dev veth0 up +- $IP address add 192.0.2.1/24 dev veth0 +- $IP -6 address add 2001:db8:51::1/64 dev veth0 +- +- $IP link set dev veth1 vrf red up +- $IP address add 192.0.2.2/24 dev veth1 +- $IP -6 address add 2001:db8:51::2/64 dev veth1 +- +- $IP link add dummy1 type dummy +- $IP link set dev dummy1 vrf red up +- $IP address add 192.168.2.1/24 dev dummy1 +- $IP -6 address add 2001:db8:2::1/64 dev dummy1 +- set +e +- +- sleep 1 +- fib4_nexthop +- fib6_nexthop +- +- ( +- $IP link del dev dummy1 +- $IP link del veth0 +- $IP link del red +- ) 2>/dev/null +- cleanup +-} +- +-fib_suppress_test() +-{ +- echo +- echo "FIB rule with suppress_prefixlength" +- setup +- +- $IP link add dummy1 type dummy +- $IP link set dummy1 up +- $IP -6 route add default dev dummy1 +- $IP -6 rule add table main suppress_prefixlength 0 +- ping -f -c 1000 -W 1 1234::1 >/dev/null 2>&1 +- $IP -6 rule del table main suppress_prefixlength 0 +- $IP link del dummy1 +- +- # If we got here without crashing, we're good. +- log_test 0 0 "FIB rule suppress test" +- +- cleanup +-} +- +-################################################################################ +-# Tests on route add and replace +- +-run_cmd() +-{ +- local cmd="$1" +- local out +- local stderr="2>/dev/null" +- +- if [ "$VERBOSE" = "1" ]; then +- printf " COMMAND: $cmd\n" +- stderr= +- fi +- +- out=$(eval $cmd $stderr) +- rc=$? +- if [ "$VERBOSE" = "1" -a -n "$out" ]; then +- echo " $out" +- fi +- +- [ "$VERBOSE" = "1" ] && echo +- +- return $rc +-} +- +-check_expected() +-{ +- local out="$1" +- local expected="$2" +- local rc=0 +- +- [ "${out}" = "${expected}" ] && return 0 +- +- if [ -z "${out}" ]; then +- if [ "$VERBOSE" = "1" ]; then +- printf "\nNo route entry found\n" +- printf "Expected:\n" +- printf " ${expected}\n" +- fi +- return 1 +- fi +- +- # tricky way to convert output to 1-line without ip's +- # messy '\'; this drops all extra white space +- out=$(echo ${out}) +- if [ "${out}" != "${expected}" ]; then +- rc=1 +- if [ "${VERBOSE}" = "1" ]; then +- printf " Unexpected route entry. Have:\n" +- printf " ${out}\n" +- printf " Expected:\n" +- printf " ${expected}\n\n" +- fi +- fi +- +- return $rc +-} +- +-# add route for a prefix, flushing any existing routes first +-# expected to be the first step of a test +-add_route6() +-{ +- local pfx="$1" +- local nh="$2" +- local out +- +- if [ "$VERBOSE" = "1" ]; then +- echo +- echo " ##################################################" +- echo +- fi +- +- run_cmd "$IP -6 ro flush ${pfx}" +- [ $? -ne 0 ] && exit 1 +- +- out=$($IP -6 ro ls match ${pfx}) +- if [ -n "$out" ]; then +- echo "Failed to flush routes for prefix used for tests." +- exit 1 +- fi +- +- run_cmd "$IP -6 ro add ${pfx} ${nh}" +- if [ $? -ne 0 ]; then +- echo "Failed to add initial route for test." +- exit 1 +- fi +-} +- +-# add initial route - used in replace route tests +-add_initial_route6() +-{ +- add_route6 "2001:db8:104::/64" "$1" +-} +- +-check_route6() +-{ +- local pfx +- local expected="$1" +- local out +- local rc=0 +- +- set -- $expected +- pfx=$1 +- +- out=$($IP -6 ro ls match ${pfx} | sed -e 's/ pref medium//') +- check_expected "${out}" "${expected}" +-} +- +-route_cleanup() +-{ +- $IP li del red 2>/dev/null +- $IP li del dummy1 2>/dev/null +- $IP li del veth1 2>/dev/null +- $IP li del veth3 2>/dev/null +- +- cleanup &> /dev/null +-} +- +-route_setup() +-{ +- route_cleanup +- setup +- +- [ "${VERBOSE}" = "1" ] && set -x +- set -e +- +- ip netns add ns2 +- ip netns set ns2 auto +- ip -netns ns2 link set dev lo up +- ip netns exec ns2 sysctl -qw net.ipv4.ip_forward=1 +- ip netns exec ns2 sysctl -qw net.ipv6.conf.all.forwarding=1 +- +- $IP li add veth1 type veth peer name veth2 +- $IP li add veth3 type veth peer name veth4 +- +- $IP li set veth1 up +- $IP li set veth3 up +- $IP li set veth2 netns ns2 up +- $IP li set veth4 netns ns2 up +- ip -netns ns2 li add dummy1 type dummy +- ip -netns ns2 li set dummy1 up +- +- $IP -6 addr add 2001:db8:101::1/64 dev veth1 nodad +- $IP -6 addr add 2001:db8:103::1/64 dev veth3 nodad +- $IP addr add 172.16.101.1/24 dev veth1 +- $IP addr add 172.16.103.1/24 dev veth3 +- +- ip -netns ns2 -6 addr add 2001:db8:101::2/64 dev veth2 nodad +- ip -netns ns2 -6 addr add 2001:db8:103::2/64 dev veth4 nodad +- ip -netns ns2 -6 addr add 2001:db8:104::1/64 dev dummy1 nodad +- +- ip -netns ns2 addr add 172.16.101.2/24 dev veth2 +- ip -netns ns2 addr add 172.16.103.2/24 dev veth4 +- ip -netns ns2 addr add 172.16.104.1/24 dev dummy1 +- +- set +e +-} +- +-# assumption is that basic add of a single path route works +-# otherwise just adding an address on an interface is broken +-ipv6_rt_add() +-{ +- local rc +- +- echo +- echo "IPv6 route add / append tests" +- +- # route add same prefix - fails with EEXISTS b/c ip adds NLM_F_EXCL +- add_route6 "2001:db8:104::/64" "via 2001:db8:101::2" +- run_cmd "$IP -6 ro add 2001:db8:104::/64 via 2001:db8:103::2" +- log_test $? 2 "Attempt to add duplicate route - gw" +- +- # route add same prefix - fails with EEXISTS b/c ip adds NLM_F_EXCL +- add_route6 "2001:db8:104::/64" "via 2001:db8:101::2" +- run_cmd "$IP -6 ro add 2001:db8:104::/64 dev veth3" +- log_test $? 2 "Attempt to add duplicate route - dev only" +- +- # route add same prefix - fails with EEXISTS b/c ip adds NLM_F_EXCL +- add_route6 "2001:db8:104::/64" "via 2001:db8:101::2" +- run_cmd "$IP -6 ro add unreachable 2001:db8:104::/64" +- log_test $? 2 "Attempt to add duplicate route - reject route" +- +- # route append with same prefix adds a new route +- # - iproute2 sets NLM_F_CREATE | NLM_F_APPEND +- add_route6 "2001:db8:104::/64" "via 2001:db8:101::2" +- run_cmd "$IP -6 ro append 2001:db8:104::/64 via 2001:db8:103::2" +- check_route6 "2001:db8:104::/64 metric 1024 nexthop via 2001:db8:101::2 dev veth1 weight 1 nexthop via 2001:db8:103::2 dev veth3 weight 1" +- log_test $? 0 "Append nexthop to existing route - gw" +- +- # insert mpath directly +- add_route6 "2001:db8:104::/64" "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" +- check_route6 "2001:db8:104::/64 metric 1024 nexthop via 2001:db8:101::2 dev veth1 weight 1 nexthop via 2001:db8:103::2 dev veth3 weight 1" +- log_test $? 0 "Add multipath route" +- +- add_route6 "2001:db8:104::/64" "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" +- run_cmd "$IP -6 ro add 2001:db8:104::/64 nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" +- log_test $? 2 "Attempt to add duplicate multipath route" +- +- # insert of a second route without append but different metric +- add_route6 "2001:db8:104::/64" "via 2001:db8:101::2" +- run_cmd "$IP -6 ro add 2001:db8:104::/64 via 2001:db8:103::2 metric 512" +- rc=$? +- if [ $rc -eq 0 ]; then +- run_cmd "$IP -6 ro add 2001:db8:104::/64 via 2001:db8:103::3 metric 256" +- rc=$? +- fi +- log_test $rc 0 "Route add with different metrics" +- +- run_cmd "$IP -6 ro del 2001:db8:104::/64 metric 512" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route6 "2001:db8:104::/64 via 2001:db8:103::3 dev veth3 metric 256 2001:db8:104::/64 via 2001:db8:101::2 dev veth1 metric 1024" +- rc=$? +- fi +- log_test $rc 0 "Route delete with metric" +-} +- +-ipv6_rt_replace_single() +-{ +- # single path with single path +- # +- add_initial_route6 "via 2001:db8:101::2" +- run_cmd "$IP -6 ro replace 2001:db8:104::/64 via 2001:db8:103::2" +- check_route6 "2001:db8:104::/64 via 2001:db8:103::2 dev veth3 metric 1024" +- log_test $? 0 "Single path with single path" +- +- # single path with multipath +- # +- add_initial_route6 "nexthop via 2001:db8:101::2" +- run_cmd "$IP -6 ro replace 2001:db8:104::/64 nexthop via 2001:db8:101::3 nexthop via 2001:db8:103::2" +- check_route6 "2001:db8:104::/64 metric 1024 nexthop via 2001:db8:101::3 dev veth1 weight 1 nexthop via 2001:db8:103::2 dev veth3 weight 1" +- log_test $? 0 "Single path with multipath" +- +- # single path with single path using MULTIPATH attribute +- # +- add_initial_route6 "via 2001:db8:101::2" +- run_cmd "$IP -6 ro replace 2001:db8:104::/64 nexthop via 2001:db8:103::2" +- check_route6 "2001:db8:104::/64 via 2001:db8:103::2 dev veth3 metric 1024" +- log_test $? 0 "Single path with single path via multipath attribute" +- +- # route replace fails - invalid nexthop +- add_initial_route6 "via 2001:db8:101::2" +- run_cmd "$IP -6 ro replace 2001:db8:104::/64 via 2001:db8:104::2" +- if [ $? -eq 0 ]; then +- # previous command is expected to fail so if it returns 0 +- # that means the test failed. +- log_test 0 1 "Invalid nexthop" +- else +- check_route6 "2001:db8:104::/64 via 2001:db8:101::2 dev veth1 metric 1024" +- log_test $? 0 "Invalid nexthop" +- fi +- +- # replace non-existent route +- # - note use of change versus replace since ip adds NLM_F_CREATE +- # for replace +- add_initial_route6 "via 2001:db8:101::2" +- run_cmd "$IP -6 ro change 2001:db8:105::/64 via 2001:db8:101::2" +- log_test $? 2 "Single path - replace of non-existent route" +-} +- +-ipv6_rt_replace_mpath() +-{ +- # multipath with multipath +- add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" +- run_cmd "$IP -6 ro replace 2001:db8:104::/64 nexthop via 2001:db8:101::3 nexthop via 2001:db8:103::3" +- check_route6 "2001:db8:104::/64 metric 1024 nexthop via 2001:db8:101::3 dev veth1 weight 1 nexthop via 2001:db8:103::3 dev veth3 weight 1" +- log_test $? 0 "Multipath with multipath" +- +- # multipath with single +- add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" +- run_cmd "$IP -6 ro replace 2001:db8:104::/64 via 2001:db8:101::3" +- check_route6 "2001:db8:104::/64 via 2001:db8:101::3 dev veth1 metric 1024" +- log_test $? 0 "Multipath with single path" +- +- # multipath with single +- add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" +- run_cmd "$IP -6 ro replace 2001:db8:104::/64 nexthop via 2001:db8:101::3" +- check_route6 "2001:db8:104::/64 via 2001:db8:101::3 dev veth1 metric 1024" +- log_test $? 0 "Multipath with single path via multipath attribute" +- +- # multipath with dev-only +- add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" +- run_cmd "$IP -6 ro replace 2001:db8:104::/64 dev veth1" +- check_route6 "2001:db8:104::/64 dev veth1 metric 1024" +- log_test $? 0 "Multipath with dev-only" +- +- # route replace fails - invalid nexthop 1 +- add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" +- run_cmd "$IP -6 ro replace 2001:db8:104::/64 nexthop via 2001:db8:111::3 nexthop via 2001:db8:103::3" +- check_route6 "2001:db8:104::/64 metric 1024 nexthop via 2001:db8:101::2 dev veth1 weight 1 nexthop via 2001:db8:103::2 dev veth3 weight 1" +- log_test $? 0 "Multipath - invalid first nexthop" +- +- # route replace fails - invalid nexthop 2 +- add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" +- run_cmd "$IP -6 ro replace 2001:db8:104::/64 nexthop via 2001:db8:101::3 nexthop via 2001:db8:113::3" +- check_route6 "2001:db8:104::/64 metric 1024 nexthop via 2001:db8:101::2 dev veth1 weight 1 nexthop via 2001:db8:103::2 dev veth3 weight 1" +- log_test $? 0 "Multipath - invalid second nexthop" +- +- # multipath non-existent route +- add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" +- run_cmd "$IP -6 ro change 2001:db8:105::/64 nexthop via 2001:db8:101::3 nexthop via 2001:db8:103::3" +- log_test $? 2 "Multipath - replace of non-existent route" +-} +- +-ipv6_rt_replace() +-{ +- echo +- echo "IPv6 route replace tests" +- +- ipv6_rt_replace_single +- ipv6_rt_replace_mpath +-} +- +-ipv6_route_test() +-{ +- route_setup +- +- ipv6_rt_add +- ipv6_rt_replace +- +- route_cleanup +-} +- +-ip_addr_metric_check() +-{ +- ip addr help 2>&1 | grep -q metric +- if [ $? -ne 0 ]; then +- echo "iproute2 command does not support metric for addresses. Skipping test" +- return 1 +- fi +- +- return 0 +-} +- +-ipv6_addr_metric_test() +-{ +- local rc +- +- echo +- echo "IPv6 prefix route tests" +- +- ip_addr_metric_check || return 1 +- +- setup +- +- set -e +- $IP li add dummy1 type dummy +- $IP li add dummy2 type dummy +- $IP li set dummy1 up +- $IP li set dummy2 up +- +- # default entry is metric 256 +- run_cmd "$IP -6 addr add dev dummy1 2001:db8:104::1/64" +- run_cmd "$IP -6 addr add dev dummy2 2001:db8:104::2/64" +- set +e +- +- check_route6 "2001:db8:104::/64 dev dummy1 proto kernel metric 256 2001:db8:104::/64 dev dummy2 proto kernel metric 256" +- log_test $? 0 "Default metric" +- +- set -e +- run_cmd "$IP -6 addr flush dev dummy1" +- run_cmd "$IP -6 addr add dev dummy1 2001:db8:104::1/64 metric 257" +- set +e +- +- check_route6 "2001:db8:104::/64 dev dummy2 proto kernel metric 256 2001:db8:104::/64 dev dummy1 proto kernel metric 257" +- log_test $? 0 "User specified metric on first device" +- +- set -e +- run_cmd "$IP -6 addr flush dev dummy2" +- run_cmd "$IP -6 addr add dev dummy2 2001:db8:104::2/64 metric 258" +- set +e +- +- check_route6 "2001:db8:104::/64 dev dummy1 proto kernel metric 257 2001:db8:104::/64 dev dummy2 proto kernel metric 258" +- log_test $? 0 "User specified metric on second device" +- +- run_cmd "$IP -6 addr del dev dummy1 2001:db8:104::1/64 metric 257" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route6 "2001:db8:104::/64 dev dummy2 proto kernel metric 258" +- rc=$? +- fi +- log_test $rc 0 "Delete of address on first device" +- +- run_cmd "$IP -6 addr change dev dummy2 2001:db8:104::2/64 metric 259" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route6 "2001:db8:104::/64 dev dummy2 proto kernel metric 259" +- rc=$? +- fi +- log_test $rc 0 "Modify metric of address" +- +- # verify prefix route removed on down +- run_cmd "ip netns exec ns1 sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1" +- run_cmd "$IP li set dev dummy2 down" +- rc=$? +- if [ $rc -eq 0 ]; then +- out=$($IP -6 ro ls match 2001:db8:104::/64) +- check_expected "${out}" "" +- rc=$? +- fi +- log_test $rc 0 "Prefix route removed on link down" +- +- # verify prefix route re-inserted with assigned metric +- run_cmd "$IP li set dev dummy2 up" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route6 "2001:db8:104::/64 dev dummy2 proto kernel metric 259" +- rc=$? +- fi +- log_test $rc 0 "Prefix route with metric on link up" +- +- # verify peer metric added correctly +- set -e +- run_cmd "$IP -6 addr flush dev dummy2" +- run_cmd "$IP -6 addr add dev dummy2 2001:db8:104::1 peer 2001:db8:104::2 metric 260" +- set +e +- +- check_route6 "2001:db8:104::1 dev dummy2 proto kernel metric 260" +- log_test $? 0 "Set metric with peer route on local side" +- check_route6 "2001:db8:104::2 dev dummy2 proto kernel metric 260" +- log_test $? 0 "Set metric with peer route on peer side" +- +- set -e +- run_cmd "$IP -6 addr change dev dummy2 2001:db8:104::1 peer 2001:db8:104::3 metric 261" +- set +e +- +- check_route6 "2001:db8:104::1 dev dummy2 proto kernel metric 261" +- log_test $? 0 "Modify metric and peer address on local side" +- check_route6 "2001:db8:104::3 dev dummy2 proto kernel metric 261" +- log_test $? 0 "Modify metric and peer address on peer side" +- +- $IP li del dummy1 +- $IP li del dummy2 +- cleanup +-} +- +-ipv6_route_metrics_test() +-{ +- local rc +- +- echo +- echo "IPv6 routes with metrics" +- +- route_setup +- +- # +- # single path with metrics +- # +- run_cmd "$IP -6 ro add 2001:db8:111::/64 via 2001:db8:101::2 mtu 1400" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route6 "2001:db8:111::/64 via 2001:db8:101::2 dev veth1 metric 1024 mtu 1400" +- rc=$? +- fi +- log_test $rc 0 "Single path route with mtu metric" +- +- +- # +- # multipath via separate routes with metrics +- # +- run_cmd "$IP -6 ro add 2001:db8:112::/64 via 2001:db8:101::2 mtu 1400" +- run_cmd "$IP -6 ro append 2001:db8:112::/64 via 2001:db8:103::2" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route6 "2001:db8:112::/64 metric 1024 mtu 1400 nexthop via 2001:db8:101::2 dev veth1 weight 1 nexthop via 2001:db8:103::2 dev veth3 weight 1" +- rc=$? +- fi +- log_test $rc 0 "Multipath route via 2 single routes with mtu metric on first" +- +- # second route is coalesced to first to make a multipath route. +- # MTU of the second path is hidden from display! +- run_cmd "$IP -6 ro add 2001:db8:113::/64 via 2001:db8:101::2" +- run_cmd "$IP -6 ro append 2001:db8:113::/64 via 2001:db8:103::2 mtu 1400" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route6 "2001:db8:113::/64 metric 1024 nexthop via 2001:db8:101::2 dev veth1 weight 1 nexthop via 2001:db8:103::2 dev veth3 weight 1" +- rc=$? +- fi +- log_test $rc 0 "Multipath route via 2 single routes with mtu metric on 2nd" +- +- run_cmd "$IP -6 ro del 2001:db8:113::/64 via 2001:db8:101::2" +- if [ $? -eq 0 ]; then +- check_route6 "2001:db8:113::/64 via 2001:db8:103::2 dev veth3 metric 1024 mtu 1400" +- log_test $? 0 " MTU of second leg" +- fi +- +- # +- # multipath with metrics +- # +- run_cmd "$IP -6 ro add 2001:db8:115::/64 mtu 1400 nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route6 "2001:db8:115::/64 metric 1024 mtu 1400 nexthop via 2001:db8:101::2 dev veth1 weight 1 nexthop via 2001:db8:103::2 dev veth3 weight 1" +- rc=$? +- fi +- log_test $rc 0 "Multipath route with mtu metric" +- +- $IP -6 ro add 2001:db8:104::/64 via 2001:db8:101::2 mtu 1300 +- run_cmd "ip netns exec ns1 ${ping6} -w1 -c1 -s 1500 2001:db8:104::1" +- log_test $? 0 "Using route with mtu metric" +- +- run_cmd "$IP -6 ro add 2001:db8:114::/64 via 2001:db8:101::2 congctl lock foo" +- log_test $? 2 "Invalid metric (fails metric_convert)" +- +- route_cleanup +-} +- +-# add route for a prefix, flushing any existing routes first +-# expected to be the first step of a test +-add_route() +-{ +- local pfx="$1" +- local nh="$2" +- local out +- +- if [ "$VERBOSE" = "1" ]; then +- echo +- echo " ##################################################" +- echo +- fi +- +- run_cmd "$IP ro flush ${pfx}" +- [ $? -ne 0 ] && exit 1 +- +- out=$($IP ro ls match ${pfx}) +- if [ -n "$out" ]; then +- echo "Failed to flush routes for prefix used for tests." +- exit 1 +- fi +- +- run_cmd "$IP ro add ${pfx} ${nh}" +- if [ $? -ne 0 ]; then +- echo "Failed to add initial route for test." +- exit 1 +- fi +-} +- +-# add initial route - used in replace route tests +-add_initial_route() +-{ +- add_route "172.16.104.0/24" "$1" +-} +- +-check_route() +-{ +- local pfx +- local expected="$1" +- local out +- +- set -- $expected +- pfx=$1 +- [ "${pfx}" = "unreachable" ] && pfx=$2 +- +- out=$($IP ro ls match ${pfx}) +- check_expected "${out}" "${expected}" +-} +- +-# assumption is that basic add of a single path route works +-# otherwise just adding an address on an interface is broken +-ipv4_rt_add() +-{ +- local rc +- +- echo +- echo "IPv4 route add / append tests" +- +- # route add same prefix - fails with EEXISTS b/c ip adds NLM_F_EXCL +- add_route "172.16.104.0/24" "via 172.16.101.2" +- run_cmd "$IP ro add 172.16.104.0/24 via 172.16.103.2" +- log_test $? 2 "Attempt to add duplicate route - gw" +- +- # route add same prefix - fails with EEXISTS b/c ip adds NLM_F_EXCL +- add_route "172.16.104.0/24" "via 172.16.101.2" +- run_cmd "$IP ro add 172.16.104.0/24 dev veth3" +- log_test $? 2 "Attempt to add duplicate route - dev only" +- +- # route add same prefix - fails with EEXISTS b/c ip adds NLM_F_EXCL +- add_route "172.16.104.0/24" "via 172.16.101.2" +- run_cmd "$IP ro add unreachable 172.16.104.0/24" +- log_test $? 2 "Attempt to add duplicate route - reject route" +- +- # iproute2 prepend only sets NLM_F_CREATE +- # - adds a new route; does NOT convert existing route to ECMP +- add_route "172.16.104.0/24" "via 172.16.101.2" +- run_cmd "$IP ro prepend 172.16.104.0/24 via 172.16.103.2" +- check_route "172.16.104.0/24 via 172.16.103.2 dev veth3 172.16.104.0/24 via 172.16.101.2 dev veth1" +- log_test $? 0 "Add new nexthop for existing prefix" +- +- # route append with same prefix adds a new route +- # - iproute2 sets NLM_F_CREATE | NLM_F_APPEND +- add_route "172.16.104.0/24" "via 172.16.101.2" +- run_cmd "$IP ro append 172.16.104.0/24 via 172.16.103.2" +- check_route "172.16.104.0/24 via 172.16.101.2 dev veth1 172.16.104.0/24 via 172.16.103.2 dev veth3" +- log_test $? 0 "Append nexthop to existing route - gw" +- +- add_route "172.16.104.0/24" "via 172.16.101.2" +- run_cmd "$IP ro append 172.16.104.0/24 dev veth3" +- check_route "172.16.104.0/24 via 172.16.101.2 dev veth1 172.16.104.0/24 dev veth3 scope link" +- log_test $? 0 "Append nexthop to existing route - dev only" +- +- add_route "172.16.104.0/24" "via 172.16.101.2" +- run_cmd "$IP ro append unreachable 172.16.104.0/24" +- check_route "172.16.104.0/24 via 172.16.101.2 dev veth1 unreachable 172.16.104.0/24" +- log_test $? 0 "Append nexthop to existing route - reject route" +- +- run_cmd "$IP ro flush 172.16.104.0/24" +- run_cmd "$IP ro add unreachable 172.16.104.0/24" +- run_cmd "$IP ro append 172.16.104.0/24 via 172.16.103.2" +- check_route "unreachable 172.16.104.0/24 172.16.104.0/24 via 172.16.103.2 dev veth3" +- log_test $? 0 "Append nexthop to existing reject route - gw" +- +- run_cmd "$IP ro flush 172.16.104.0/24" +- run_cmd "$IP ro add unreachable 172.16.104.0/24" +- run_cmd "$IP ro append 172.16.104.0/24 dev veth3" +- check_route "unreachable 172.16.104.0/24 172.16.104.0/24 dev veth3 scope link" +- log_test $? 0 "Append nexthop to existing reject route - dev only" +- +- # insert mpath directly +- add_route "172.16.104.0/24" "nexthop via 172.16.101.2 nexthop via 172.16.103.2" +- check_route "172.16.104.0/24 nexthop via 172.16.101.2 dev veth1 weight 1 nexthop via 172.16.103.2 dev veth3 weight 1" +- log_test $? 0 "add multipath route" +- +- add_route "172.16.104.0/24" "nexthop via 172.16.101.2 nexthop via 172.16.103.2" +- run_cmd "$IP ro add 172.16.104.0/24 nexthop via 172.16.101.2 nexthop via 172.16.103.2" +- log_test $? 2 "Attempt to add duplicate multipath route" +- +- # insert of a second route without append but different metric +- add_route "172.16.104.0/24" "via 172.16.101.2" +- run_cmd "$IP ro add 172.16.104.0/24 via 172.16.103.2 metric 512" +- rc=$? +- if [ $rc -eq 0 ]; then +- run_cmd "$IP ro add 172.16.104.0/24 via 172.16.103.3 metric 256" +- rc=$? +- fi +- log_test $rc 0 "Route add with different metrics" +- +- run_cmd "$IP ro del 172.16.104.0/24 metric 512" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route "172.16.104.0/24 via 172.16.101.2 dev veth1 172.16.104.0/24 via 172.16.103.3 dev veth3 metric 256" +- rc=$? +- fi +- log_test $rc 0 "Route delete with metric" +-} +- +-ipv4_rt_replace_single() +-{ +- # single path with single path +- # +- add_initial_route "via 172.16.101.2" +- run_cmd "$IP ro replace 172.16.104.0/24 via 172.16.103.2" +- check_route "172.16.104.0/24 via 172.16.103.2 dev veth3" +- log_test $? 0 "Single path with single path" +- +- # single path with multipath +- # +- add_initial_route "nexthop via 172.16.101.2" +- run_cmd "$IP ro replace 172.16.104.0/24 nexthop via 172.16.101.3 nexthop via 172.16.103.2" +- check_route "172.16.104.0/24 nexthop via 172.16.101.3 dev veth1 weight 1 nexthop via 172.16.103.2 dev veth3 weight 1" +- log_test $? 0 "Single path with multipath" +- +- # single path with reject +- # +- add_initial_route "nexthop via 172.16.101.2" +- run_cmd "$IP ro replace unreachable 172.16.104.0/24" +- check_route "unreachable 172.16.104.0/24" +- log_test $? 0 "Single path with reject route" +- +- # single path with single path using MULTIPATH attribute +- # +- add_initial_route "via 172.16.101.2" +- run_cmd "$IP ro replace 172.16.104.0/24 nexthop via 172.16.103.2" +- check_route "172.16.104.0/24 via 172.16.103.2 dev veth3" +- log_test $? 0 "Single path with single path via multipath attribute" +- +- # route replace fails - invalid nexthop +- add_initial_route "via 172.16.101.2" +- run_cmd "$IP ro replace 172.16.104.0/24 via 2001:db8:104::2" +- if [ $? -eq 0 ]; then +- # previous command is expected to fail so if it returns 0 +- # that means the test failed. +- log_test 0 1 "Invalid nexthop" +- else +- check_route "172.16.104.0/24 via 172.16.101.2 dev veth1" +- log_test $? 0 "Invalid nexthop" +- fi +- +- # replace non-existent route +- # - note use of change versus replace since ip adds NLM_F_CREATE +- # for replace +- add_initial_route "via 172.16.101.2" +- run_cmd "$IP ro change 172.16.105.0/24 via 172.16.101.2" +- log_test $? 2 "Single path - replace of non-existent route" +-} +- +-ipv4_rt_replace_mpath() +-{ +- # multipath with multipath +- add_initial_route "nexthop via 172.16.101.2 nexthop via 172.16.103.2" +- run_cmd "$IP ro replace 172.16.104.0/24 nexthop via 172.16.101.3 nexthop via 172.16.103.3" +- check_route "172.16.104.0/24 nexthop via 172.16.101.3 dev veth1 weight 1 nexthop via 172.16.103.3 dev veth3 weight 1" +- log_test $? 0 "Multipath with multipath" +- +- # multipath with single +- add_initial_route "nexthop via 172.16.101.2 nexthop via 172.16.103.2" +- run_cmd "$IP ro replace 172.16.104.0/24 via 172.16.101.3" +- check_route "172.16.104.0/24 via 172.16.101.3 dev veth1" +- log_test $? 0 "Multipath with single path" +- +- # multipath with single +- add_initial_route "nexthop via 172.16.101.2 nexthop via 172.16.103.2" +- run_cmd "$IP ro replace 172.16.104.0/24 nexthop via 172.16.101.3" +- check_route "172.16.104.0/24 via 172.16.101.3 dev veth1" +- log_test $? 0 "Multipath with single path via multipath attribute" +- +- # multipath with reject +- add_initial_route "nexthop via 172.16.101.2 nexthop via 172.16.103.2" +- run_cmd "$IP ro replace unreachable 172.16.104.0/24" +- check_route "unreachable 172.16.104.0/24" +- log_test $? 0 "Multipath with reject route" +- +- # route replace fails - invalid nexthop 1 +- add_initial_route "nexthop via 172.16.101.2 nexthop via 172.16.103.2" +- run_cmd "$IP ro replace 172.16.104.0/24 nexthop via 172.16.111.3 nexthop via 172.16.103.3" +- check_route "172.16.104.0/24 nexthop via 172.16.101.2 dev veth1 weight 1 nexthop via 172.16.103.2 dev veth3 weight 1" +- log_test $? 0 "Multipath - invalid first nexthop" +- +- # route replace fails - invalid nexthop 2 +- add_initial_route "nexthop via 172.16.101.2 nexthop via 172.16.103.2" +- run_cmd "$IP ro replace 172.16.104.0/24 nexthop via 172.16.101.3 nexthop via 172.16.113.3" +- check_route "172.16.104.0/24 nexthop via 172.16.101.2 dev veth1 weight 1 nexthop via 172.16.103.2 dev veth3 weight 1" +- log_test $? 0 "Multipath - invalid second nexthop" +- +- # multipath non-existent route +- add_initial_route "nexthop via 172.16.101.2 nexthop via 172.16.103.2" +- run_cmd "$IP ro change 172.16.105.0/24 nexthop via 172.16.101.3 nexthop via 172.16.103.3" +- log_test $? 2 "Multipath - replace of non-existent route" +-} +- +-ipv4_rt_replace() +-{ +- echo +- echo "IPv4 route replace tests" +- +- ipv4_rt_replace_single +- ipv4_rt_replace_mpath +-} +- +-ipv4_route_test() +-{ +- route_setup +- +- ipv4_rt_add +- ipv4_rt_replace +- +- route_cleanup +-} +- +-ipv4_addr_metric_test() +-{ +- local rc +- +- echo +- echo "IPv4 prefix route tests" +- +- ip_addr_metric_check || return 1 +- +- setup +- +- set -e +- $IP li add dummy1 type dummy +- $IP li add dummy2 type dummy +- $IP li set dummy1 up +- $IP li set dummy2 up +- +- # default entry is metric 256 +- run_cmd "$IP addr add dev dummy1 172.16.104.1/24" +- run_cmd "$IP addr add dev dummy2 172.16.104.2/24" +- set +e +- +- check_route "172.16.104.0/24 dev dummy1 proto kernel scope link src 172.16.104.1 172.16.104.0/24 dev dummy2 proto kernel scope link src 172.16.104.2" +- log_test $? 0 "Default metric" +- +- set -e +- run_cmd "$IP addr flush dev dummy1" +- run_cmd "$IP addr add dev dummy1 172.16.104.1/24 metric 257" +- set +e +- +- check_route "172.16.104.0/24 dev dummy2 proto kernel scope link src 172.16.104.2 172.16.104.0/24 dev dummy1 proto kernel scope link src 172.16.104.1 metric 257" +- log_test $? 0 "User specified metric on first device" +- +- set -e +- run_cmd "$IP addr flush dev dummy2" +- run_cmd "$IP addr add dev dummy2 172.16.104.2/24 metric 258" +- set +e +- +- check_route "172.16.104.0/24 dev dummy1 proto kernel scope link src 172.16.104.1 metric 257 172.16.104.0/24 dev dummy2 proto kernel scope link src 172.16.104.2 metric 258" +- log_test $? 0 "User specified metric on second device" +- +- run_cmd "$IP addr del dev dummy1 172.16.104.1/24 metric 257" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route "172.16.104.0/24 dev dummy2 proto kernel scope link src 172.16.104.2 metric 258" +- rc=$? +- fi +- log_test $rc 0 "Delete of address on first device" +- +- run_cmd "$IP addr change dev dummy2 172.16.104.2/24 metric 259" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route "172.16.104.0/24 dev dummy2 proto kernel scope link src 172.16.104.2 metric 259" +- rc=$? +- fi +- log_test $rc 0 "Modify metric of address" +- +- # verify prefix route removed on down +- run_cmd "$IP li set dev dummy2 down" +- rc=$? +- if [ $rc -eq 0 ]; then +- out=$($IP ro ls match 172.16.104.0/24) +- check_expected "${out}" "" +- rc=$? +- fi +- log_test $rc 0 "Prefix route removed on link down" +- +- # verify prefix route re-inserted with assigned metric +- run_cmd "$IP li set dev dummy2 up" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route "172.16.104.0/24 dev dummy2 proto kernel scope link src 172.16.104.2 metric 259" +- rc=$? +- fi +- log_test $rc 0 "Prefix route with metric on link up" +- +- # explicitly check for metric changes on edge scenarios +- run_cmd "$IP addr flush dev dummy2" +- run_cmd "$IP addr add dev dummy2 172.16.104.0/24 metric 259" +- run_cmd "$IP addr change dev dummy2 172.16.104.0/24 metric 260" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route "172.16.104.0/24 dev dummy2 proto kernel scope link src 172.16.104.0 metric 260" +- rc=$? +- fi +- log_test $rc 0 "Modify metric of .0/24 address" +- +- run_cmd "$IP addr flush dev dummy2" +- run_cmd "$IP addr add dev dummy2 172.16.104.1/32 peer 172.16.104.2 metric 260" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route "172.16.104.2 dev dummy2 proto kernel scope link src 172.16.104.1 metric 260" +- rc=$? +- fi +- log_test $rc 0 "Set metric of address with peer route" +- +- run_cmd "$IP addr change dev dummy2 172.16.104.1/32 peer 172.16.104.3 metric 261" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route "172.16.104.3 dev dummy2 proto kernel scope link src 172.16.104.1 metric 261" +- rc=$? +- fi +- log_test $rc 0 "Modify metric and peer address for peer route" +- +- $IP li del dummy1 +- $IP li del dummy2 +- cleanup +-} +- +-ipv4_route_metrics_test() +-{ +- local rc +- +- echo +- echo "IPv4 route add / append tests" +- +- route_setup +- +- run_cmd "$IP ro add 172.16.111.0/24 via 172.16.101.2 mtu 1400" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route "172.16.111.0/24 via 172.16.101.2 dev veth1 mtu 1400" +- rc=$? +- fi +- log_test $rc 0 "Single path route with mtu metric" +- +- +- run_cmd "$IP ro add 172.16.112.0/24 mtu 1400 nexthop via 172.16.101.2 nexthop via 172.16.103.2" +- rc=$? +- if [ $rc -eq 0 ]; then +- check_route "172.16.112.0/24 mtu 1400 nexthop via 172.16.101.2 dev veth1 weight 1 nexthop via 172.16.103.2 dev veth3 weight 1" +- rc=$? +- fi +- log_test $rc 0 "Multipath route with mtu metric" +- +- $IP ro add 172.16.104.0/24 via 172.16.101.2 mtu 1300 +- run_cmd "ip netns exec ns1 ping -w1 -c1 -s 1500 172.16.104.1" +- log_test $? 0 "Using route with mtu metric" +- +- run_cmd "$IP ro add 172.16.111.0/24 via 172.16.101.2 congctl lock foo" +- log_test $? 2 "Invalid metric (fails metric_convert)" +- +- route_cleanup +-} +- +-ipv4_route_v6_gw_test() +-{ +- local rc +- +- echo +- echo "IPv4 route with IPv6 gateway tests" +- +- route_setup +- sleep 2 +- +- # +- # single path route +- # +- run_cmd "$IP ro add 172.16.104.0/24 via inet6 2001:db8:101::2" +- rc=$? +- log_test $rc 0 "Single path route with IPv6 gateway" +- if [ $rc -eq 0 ]; then +- check_route "172.16.104.0/24 via inet6 2001:db8:101::2 dev veth1" +- fi +- +- run_cmd "ip netns exec ns1 ping -w1 -c1 172.16.104.1" +- log_test $rc 0 "Single path route with IPv6 gateway - ping" +- +- run_cmd "$IP ro del 172.16.104.0/24 via inet6 2001:db8:101::2" +- rc=$? +- log_test $rc 0 "Single path route delete" +- if [ $rc -eq 0 ]; then +- check_route "172.16.112.0/24" +- fi +- +- # +- # multipath - v6 then v4 +- # +- run_cmd "$IP ro add 172.16.104.0/24 nexthop via inet6 2001:db8:101::2 dev veth1 nexthop via 172.16.103.2 dev veth3" +- rc=$? +- log_test $rc 0 "Multipath route add - v6 nexthop then v4" +- if [ $rc -eq 0 ]; then +- check_route "172.16.104.0/24 nexthop via inet6 2001:db8:101::2 dev veth1 weight 1 nexthop via 172.16.103.2 dev veth3 weight 1" +- fi +- +- run_cmd "$IP ro del 172.16.104.0/24 nexthop via 172.16.103.2 dev veth3 nexthop via inet6 2001:db8:101::2 dev veth1" +- log_test $? 2 " Multipath route delete - nexthops in wrong order" +- +- run_cmd "$IP ro del 172.16.104.0/24 nexthop via inet6 2001:db8:101::2 dev veth1 nexthop via 172.16.103.2 dev veth3" +- log_test $? 0 " Multipath route delete exact match" +- +- # +- # multipath - v4 then v6 +- # +- run_cmd "$IP ro add 172.16.104.0/24 nexthop via 172.16.103.2 dev veth3 nexthop via inet6 2001:db8:101::2 dev veth1" +- rc=$? +- log_test $rc 0 "Multipath route add - v4 nexthop then v6" +- if [ $rc -eq 0 ]; then +- check_route "172.16.104.0/24 nexthop via 172.16.103.2 dev veth3 weight 1 nexthop via inet6 2001:db8:101::2 dev veth1 weight 1" +- fi +- +- run_cmd "$IP ro del 172.16.104.0/24 nexthop via inet6 2001:db8:101::2 dev veth1 nexthop via 172.16.103.2 dev veth3" +- log_test $? 2 " Multipath route delete - nexthops in wrong order" +- +- run_cmd "$IP ro del 172.16.104.0/24 nexthop via 172.16.103.2 dev veth3 nexthop via inet6 2001:db8:101::2 dev veth1" +- log_test $? 0 " Multipath route delete exact match" +- +- route_cleanup +-} +- +-################################################################################ +-# usage +- +-usage() +-{ +- cat < Test(s) to run (default: all) +- (options: $TESTS) +- -p Pause on fail +- -P Pause after each test before cleanup +- -v verbose mode (show commands and output) +-EOF +-} +- +-################################################################################ +-# main +- +-while getopts :t:pPhv o +-do +- case $o in +- t) TESTS=$OPTARG;; +- p) PAUSE_ON_FAIL=yes;; +- P) PAUSE=yes;; +- v) VERBOSE=$(($VERBOSE + 1));; +- h) usage; exit 0;; +- *) usage; exit 1;; +- esac +-done +- +-PEER_CMD="ip netns exec ${PEER_NS}" +- +-# make sure we don't pause twice +-[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no +- +-if [ "$(id -u)" -ne 0 ];then +- echo "SKIP: Need root privileges" +- exit $ksft_skip; +-fi +- +-if [ ! -x "$(command -v ip)" ]; then +- echo "SKIP: Could not run test without ip tool" +- exit $ksft_skip +-fi +- +-ip route help 2>&1 | grep -q fibmatch +-if [ $? -ne 0 ]; then +- echo "SKIP: iproute2 too old, missing fibmatch" +- exit $ksft_skip +-fi +- +-# start clean +-cleanup &> /dev/null +- +-for t in $TESTS +-do +- case $t in +- fib_unreg_test|unregister) fib_unreg_test;; +- fib_down_test|down) fib_down_test;; +- fib_carrier_test|carrier) fib_carrier_test;; +- fib_rp_filter_test|rp_filter) fib_rp_filter_test;; +- fib_nexthop_test|nexthop) fib_nexthop_test;; +- fib_suppress_test|suppress) fib_suppress_test;; +- ipv6_route_test|ipv6_rt) ipv6_route_test;; +- ipv4_route_test|ipv4_rt) ipv4_route_test;; +- ipv6_addr_metric) ipv6_addr_metric_test;; +- ipv4_addr_metric) ipv4_addr_metric_test;; +- ipv6_route_metrics) ipv6_route_metrics_test;; +- ipv4_route_metrics) ipv4_route_metrics_test;; +- ipv4_route_v6_gw) ipv4_route_v6_gw_test;; +- +- help) echo "Test names: $TESTS"; exit 0;; +- esac +-done +- +-if [ "$TESTS" != "none" ]; then +- printf "\nTests passed: %3d\n" ${nsuccess} +- printf "Tests failed: %3d\n" ${nfail} +-fi +- +-exit $ret +-- +2.35.1 + diff --git a/queue-5.4/ipv4-fix-incorrect-route-flushing-when-table-id-0-is.patch b/queue-5.4/ipv4-fix-incorrect-route-flushing-when-table-id-0-is.patch new file mode 100644 index 00000000000..d87e21185e8 --- /dev/null +++ b/queue-5.4/ipv4-fix-incorrect-route-flushing-when-table-id-0-is.patch @@ -0,0 +1,106 @@ +From cfd0d5e5b7af2976d3d6bc06078ed2cdffe9fd88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Dec 2022 09:50:45 +0200 +Subject: ipv4: Fix incorrect route flushing when table ID 0 is used + +From: Ido Schimmel + +[ Upstream commit c0d999348e01df03e0a7f550351f3907fabbf611 ] + +Cited commit added the table ID to the FIB info structure, but did not +properly initialize it when table ID 0 is used. This can lead to a route +in the default VRF with a preferred source address not being flushed +when the address is deleted. + +Consider the following example: + + # ip address add dev dummy1 192.0.2.1/28 + # ip address add dev dummy1 192.0.2.17/28 + # ip route add 198.51.100.0/24 via 192.0.2.2 src 192.0.2.17 metric 100 + # ip route add table 0 198.51.100.0/24 via 192.0.2.2 src 192.0.2.17 metric 200 + # ip route show 198.51.100.0/24 + 198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 100 + 198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 200 + +Both routes are installed in the default VRF, but they are using two +different FIB info structures. One with a metric of 100 and table ID of +254 (main) and one with a metric of 200 and table ID of 0. Therefore, +when the preferred source address is deleted from the default VRF, +the second route is not flushed: + + # ip address del dev dummy1 192.0.2.17/28 + # ip route show 198.51.100.0/24 + 198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 200 + +Fix by storing a table ID of 254 instead of 0 in the route configuration +structure. + +Add a test case that fails before the fix: + + # ./fib_tests.sh -t ipv4_del_addr + + IPv4 delete address route tests + Regular FIB info + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Identical FIB info with different table ID + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Table ID 0 + TEST: Route removed in default VRF when source address deleted [FAIL] + + Tests passed: 8 + Tests failed: 1 + +And passes after: + + # ./fib_tests.sh -t ipv4_del_addr + + IPv4 delete address route tests + Regular FIB info + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Identical FIB info with different table ID + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Table ID 0 + TEST: Route removed in default VRF when source address deleted [ OK ] + + Tests passed: 9 + Tests failed: 0 + +Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") +Reported-by: Donald Sharp +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_frontend.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index d38c8ca93ba0..be31eeacb0be 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -840,6 +840,9 @@ static int rtm_to_fib_config(struct net *net, struct sk_buff *skb, + return -EINVAL; + } + ++ if (!cfg->fc_table) ++ cfg->fc_table = RT_TABLE_MAIN; ++ + return 0; + errout: + return err; +-- +2.35.1 + diff --git a/queue-5.4/ipv6-avoid-use-after-free-in-ip6_fragment.patch b/queue-5.4/ipv6-avoid-use-after-free-in-ip6_fragment.patch new file mode 100644 index 00000000000..e024e78e406 --- /dev/null +++ b/queue-5.4/ipv6-avoid-use-after-free-in-ip6_fragment.patch @@ -0,0 +1,289 @@ +From 4aefc40e0cc979c96ba250374f7e827dfa2d9e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 10:13:51 +0000 +Subject: ipv6: avoid use-after-free in ip6_fragment() + +From: Eric Dumazet + +[ Upstream commit 803e84867de59a1e5d126666d25eb4860cfd2ebe ] + +Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers. + +It seems to not be always true, at least for UDP stack. + +syzbot reported: + +BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline] +BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 +Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618 + +CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:284 [inline] + print_report+0x15e/0x45d mm/kasan/report.c:395 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 + ip6_dst_idev include/net/ip6_fib.h:245 [inline] + ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 + __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] + ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 + NF_HOOK_COND include/linux/netfilter.h:291 [inline] + ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 + dst_output include/net/dst.h:445 [inline] + ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 + ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 + udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 + udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 + udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 + inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + sock_write_iter+0x295/0x3d0 net/socket.c:1108 + call_write_iter include/linux/fs.h:2191 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x9ed/0xdd0 fs/read_write.c:584 + ksys_write+0x1ec/0x250 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fde3588c0d9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9 +RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a +RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000 + + +Allocated by task 7618: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325 + kasan_slab_alloc include/linux/kasan.h:201 [inline] + slab_post_alloc_hook mm/slab.h:737 [inline] + slab_alloc_node mm/slub.c:3398 [inline] + slab_alloc mm/slub.c:3406 [inline] + __kmem_cache_alloc_lru mm/slub.c:3413 [inline] + kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422 + dst_alloc+0x14a/0x1f0 net/core/dst.c:92 + ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 + ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline] + rt6_make_pcpu_route net/ipv6/route.c:1417 [inline] + ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254 + pol_lookup_func include/net/ip6_fib.h:582 [inline] + fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121 + ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625 + ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638 + ip6_route_output include/net/ip6_route.h:98 [inline] + ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092 + ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222 + ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260 + udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554 + inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + __sys_sendto+0x23a/0x340 net/socket.c:2117 + __do_sys_sendto net/socket.c:2129 [inline] + __se_sys_sendto net/socket.c:2125 [inline] + __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 7599: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:511 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1724 [inline] + slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750 + slab_free mm/slub.c:3661 [inline] + kmem_cache_free+0xee/0x5c0 mm/slub.c:3683 + dst_destroy+0x2ea/0x400 net/core/dst.c:127 + rcu_do_batch kernel/rcu/tree.c:2250 [inline] + rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510 + __do_softirq+0x1fb/0xadc kernel/softirq.c:571 + +Last potentially related work creation: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 + call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798 + dst_release net/core/dst.c:177 [inline] + dst_release+0x7d/0xe0 net/core/dst.c:167 + refdst_drop include/net/dst.h:256 [inline] + skb_dst_drop include/net/dst.h:268 [inline] + skb_release_head_state+0x250/0x2a0 net/core/skbuff.c:838 + skb_release_all net/core/skbuff.c:852 [inline] + __kfree_skb net/core/skbuff.c:868 [inline] + kfree_skb_reason+0x151/0x4b0 net/core/skbuff.c:891 + kfree_skb_list_reason+0x4b/0x70 net/core/skbuff.c:901 + kfree_skb_list include/linux/skbuff.h:1227 [inline] + ip6_fragment+0x2026/0x2770 net/ipv6/ip6_output.c:949 + __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] + ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 + NF_HOOK_COND include/linux/netfilter.h:291 [inline] + ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 + dst_output include/net/dst.h:445 [inline] + ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 + ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 + udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 + udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 + udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 + inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + sock_write_iter+0x295/0x3d0 net/socket.c:1108 + call_write_iter include/linux/fs.h:2191 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x9ed/0xdd0 fs/read_write.c:584 + ksys_write+0x1ec/0x250 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Second to last potentially related work creation: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 + call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798 + dst_release net/core/dst.c:177 [inline] + dst_release+0x7d/0xe0 net/core/dst.c:167 + refdst_drop include/net/dst.h:256 [inline] + skb_dst_drop include/net/dst.h:268 [inline] + __dev_queue_xmit+0x1b9d/0x3ba0 net/core/dev.c:4211 + dev_queue_xmit include/linux/netdevice.h:3008 [inline] + neigh_resolve_output net/core/neighbour.c:1552 [inline] + neigh_resolve_output+0x51b/0x840 net/core/neighbour.c:1532 + neigh_output include/net/neighbour.h:546 [inline] + ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134 + __ip6_finish_output net/ipv6/ip6_output.c:195 [inline] + ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206 + NF_HOOK_COND include/linux/netfilter.h:291 [inline] + ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 + dst_output include/net/dst.h:445 [inline] + NF_HOOK include/linux/netfilter.h:302 [inline] + NF_HOOK include/linux/netfilter.h:296 [inline] + mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820 + mld_send_cr net/ipv6/mcast.c:2121 [inline] + mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + +The buggy address belongs to the object at ffff88801d403dc0 + which belongs to the cache ip6_dst_cache of size 240 +The buggy address is located 192 bytes inside of + 240-byte region [ffff88801d403dc0, ffff88801d403eb0) + +The buggy address belongs to the physical page: +page:ffffea00007500c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d403 +memcg:ffff888022f49c81 +flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) +raw: 00fff00000000200 ffffea0001ef6580 dead000000000002 ffff88814addf640 +raw: 0000000000000000 00000000800c000c 00000001ffffffff ffff888022f49c81 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 3719, tgid 3719 (kworker/0:6), ts 136223432244, free_ts 136222971441 + prep_new_page mm/page_alloc.c:2539 [inline] + get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4288 + __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5555 + alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285 + alloc_slab_page mm/slub.c:1794 [inline] + allocate_slab+0x213/0x300 mm/slub.c:1939 + new_slab mm/slub.c:1992 [inline] + ___slab_alloc+0xa91/0x1400 mm/slub.c:3180 + __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279 + slab_alloc_node mm/slub.c:3364 [inline] + slab_alloc mm/slub.c:3406 [inline] + __kmem_cache_alloc_lru mm/slub.c:3413 [inline] + kmem_cache_alloc+0x31a/0x3d0 mm/slub.c:3422 + dst_alloc+0x14a/0x1f0 net/core/dst.c:92 + ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 + icmp6_dst_alloc+0x71/0x680 net/ipv6/route.c:3261 + mld_sendpack+0x5de/0xe70 net/ipv6/mcast.c:1809 + mld_send_cr net/ipv6/mcast.c:2121 [inline] + mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 +page last free stack trace: + reset_page_owner include/linux/page_owner.h:24 [inline] + free_pages_prepare mm/page_alloc.c:1459 [inline] + free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509 + free_unref_page_prepare mm/page_alloc.c:3387 [inline] + free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483 + __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586 + qlink_free mm/kasan/quarantine.c:168 [inline] + qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 + kasan_quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:294 + __kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302 + kasan_slab_alloc include/linux/kasan.h:201 [inline] + slab_post_alloc_hook mm/slab.h:737 [inline] + slab_alloc_node mm/slub.c:3398 [inline] + kmem_cache_alloc_node+0x304/0x410 mm/slub.c:3443 + __alloc_skb+0x214/0x300 net/core/skbuff.c:497 + alloc_skb include/linux/skbuff.h:1267 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1191 [inline] + netlink_sendmsg+0x9a6/0xe10 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + __sys_sendto+0x23a/0x340 net/socket.c:2117 + __do_sys_sendto net/socket.c:2129 [inline] + __se_sys_sendto net/socket.c:2125 [inline] + __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: 1758fd4688eb ("ipv6: remove unnecessary dst_hold() in ip6_fragment()") +Reported-by: syzbot+8c0ac31aa9681abb9e2d@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Cc: Wei Wang +Cc: Martin KaFai Lau +Link: https://lore.kernel.org/r/20221206101351.2037285-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 5585e3a94f3c..457eb07be482 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -919,6 +919,9 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + if (err < 0) + goto fail; + ++ /* We prevent @rt from being freed. */ ++ rcu_read_lock(); ++ + for (;;) { + /* Prepare header of the next frame, + * before previous one went down. */ +@@ -942,6 +945,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + if (err == 0) { + IP6_INC_STATS(net, ip6_dst_idev(&rt->dst), + IPSTATS_MIB_FRAGOKS); ++ rcu_read_unlock(); + return 0; + } + +@@ -949,6 +953,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + + IP6_INC_STATS(net, ip6_dst_idev(&rt->dst), + IPSTATS_MIB_FRAGFAILS); ++ rcu_read_unlock(); + return err; + + slow_path_clean: +-- +2.35.1 + diff --git a/queue-5.4/mac802154-fix-missing-init_list_head-in-ieee802154_i.patch b/queue-5.4/mac802154-fix-missing-init_list_head-in-ieee802154_i.patch new file mode 100644 index 00000000000..ddec30b61a8 --- /dev/null +++ b/queue-5.4/mac802154-fix-missing-init_list_head-in-ieee802154_i.patch @@ -0,0 +1,56 @@ +From 3b4cef4afd9a93de2ce0ec56ccc5929b8c900481 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 09:17:05 +0000 +Subject: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() + +From: Wei Yongjun + +[ Upstream commit b3d72d3135d2ef68296c1ee174436efd65386f04 ] + +Kernel fault injection test reports null-ptr-deref as follows: + +BUG: kernel NULL pointer dereference, address: 0000000000000008 +RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114 +Call Trace: + + raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87 + call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944 + unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982 + unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879 + register_netdevice+0x9a8/0xb90 net/core/dev.c:10083 + ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659 + ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229 + mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316 + +ieee802154_if_add() allocates wpan_dev as netdev's private data, but not +init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage +the list when device register/unregister, and may lead to null-ptr-deref. + +Use INIT_LIST_HEAD() on it to initialize it correctly. + +Fixes: fcf39e6e88e9 ("ieee802154: add wpan_dev_list") +Signed-off-by: Wei Yongjun +Acked-by: Alexander Aring + +Link: https://lore.kernel.org/r/20221130091705.1831140-1-weiyongjun@huaweicloud.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/mac802154/iface.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c +index 1cf5ac09edcb..a08240fe68a7 100644 +--- a/net/mac802154/iface.c ++++ b/net/mac802154/iface.c +@@ -661,6 +661,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name, + sdata->dev = ndev; + sdata->wpan_dev.wpan_phy = local->hw.phy; + sdata->local = local; ++ INIT_LIST_HEAD(&sdata->wpan_dev.list); + + /* setup type-dependent data */ + ret = ieee802154_setup_sdata(sdata, type); +-- +2.35.1 + diff --git a/queue-5.4/net-dsa-ksz-check-return-value.patch b/queue-5.4/net-dsa-ksz-check-return-value.patch new file mode 100644 index 00000000000..bf9d02d224e --- /dev/null +++ b/queue-5.4/net-dsa-ksz-check-return-value.patch @@ -0,0 +1,42 @@ +From f8d835f239576af369c11e25c538cc4a40af5a11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 17:00:30 +0300 +Subject: net: dsa: ksz: Check return value + +From: Artem Chernyshev + +[ Upstream commit 3d8fdcbf1f42e2bb9ae8b8c0b6f202278c788a22 ] + +Return NULL if we got unexpected value from skb_trim_rcsum() +in ksz_common_rcv() + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: bafe9ba7d908 ("net: dsa: ksz: Factor out common tag code") +Signed-off-by: Artem Chernyshev +Reviewed-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20221201140032.26746-1-artem.chernyshev@red-soft.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_ksz.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c +index 73605bcbb385..7354c5db3a14 100644 +--- a/net/dsa/tag_ksz.c ++++ b/net/dsa/tag_ksz.c +@@ -62,7 +62,8 @@ static struct sk_buff *ksz_common_rcv(struct sk_buff *skb, + if (!skb->dev) + return NULL; + +- pskb_trim_rcsum(skb, skb->len - len); ++ if (pskb_trim_rcsum(skb, skb->len - len)) ++ return NULL; + + skb->offload_fwd_mark = true; + +-- +2.35.1 + diff --git a/queue-5.4/net-encx24j600-add-parentheses-to-fix-precedence.patch b/queue-5.4/net-encx24j600-add-parentheses-to-fix-precedence.patch new file mode 100644 index 00000000000..dbb411c8073 --- /dev/null +++ b/queue-5.4/net-encx24j600-add-parentheses-to-fix-precedence.patch @@ -0,0 +1,50 @@ +From 8fad2b7e7032f4cb76505d40a03c5c4c60c75e9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 20:34:07 +0300 +Subject: net: encx24j600: Add parentheses to fix precedence + +From: Valentina Goncharenko + +[ Upstream commit 167b3f2dcc62c271f3555b33df17e361bb1fa0ee ] + +In functions regmap_encx24j600_phy_reg_read() and +regmap_encx24j600_phy_reg_write() in the conditions of the waiting +cycles for filling the variable 'ret' it is necessary to add parentheses +to prevent wrong assignment due to logical operations precedence. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d70e53262f5c ("net: Microchip encx24j600 driver") +Signed-off-by: Valentina Goncharenko +Reviewed-by: Pavan Chebbi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c +index e2528633c09a..8c07c3c3c00c 100644 +--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c ++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c +@@ -364,7 +364,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && + (mistat & BUSY)) + cpu_relax(); + +@@ -402,7 +402,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && + (mistat & BUSY)) + cpu_relax(); + +-- +2.35.1 + diff --git a/queue-5.4/net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch b/queue-5.4/net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch new file mode 100644 index 00000000000..129f4860032 --- /dev/null +++ b/queue-5.4/net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch @@ -0,0 +1,52 @@ +From a88b0b370c32b25e35744cd9d57bf320c0c77830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 20:34:08 +0300 +Subject: net: encx24j600: Fix invalid logic in reading of MISTAT register + +From: Valentina Goncharenko + +[ Upstream commit 25f427ac7b8d89b0259f86c0c6407b329df742b2 ] + +A loop for reading MISTAT register continues while regmap_read() fails +and (mistat & BUSY), but if regmap_read() fails a value of mistat is +undefined. + +The patch proposes to check for BUSY flag only when regmap_read() +succeed. Compile test only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d70e53262f5c ("net: Microchip encx24j600 driver") +Signed-off-by: Valentina Goncharenko +Reviewed-by: Pavan Chebbi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c +index 8c07c3c3c00c..8c6c5c706992 100644 +--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c ++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c +@@ -364,7 +364,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) && + (mistat & BUSY)) + cpu_relax(); + +@@ -402,7 +402,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) && + (mistat & BUSY)) + cpu_relax(); + +-- +2.35.1 + diff --git a/queue-5.4/net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch b/queue-5.4/net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch new file mode 100644 index 00000000000..ce67cfa5d9b --- /dev/null +++ b/queue-5.4/net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch @@ -0,0 +1,37 @@ +From 4cbfdd544055a424f45e5894e403a17244840ab0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 17:42:39 +0800 +Subject: net: hisilicon: Fix potential use-after-free in hisi_femac_rx() + +From: Liu Jian + +[ Upstream commit 4640177049549de1a43e9bc49265f0cdfce08cfd ] + +The skb is delivered to napi_gro_receive() which may free it, after +calling this, dereferencing skb may trigger use-after-free. + +Fixes: 542ae60af24f ("net: hisilicon: Add Fast Ethernet MAC driver") +Signed-off-by: Liu Jian +Link: https://lore.kernel.org/r/20221203094240.1240211-1-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hisi_femac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hisi_femac.c b/drivers/net/ethernet/hisilicon/hisi_femac.c +index 90ab7ade44c4..2ee6265228d1 100644 +--- a/drivers/net/ethernet/hisilicon/hisi_femac.c ++++ b/drivers/net/ethernet/hisilicon/hisi_femac.c +@@ -283,7 +283,7 @@ static int hisi_femac_rx(struct net_device *dev, int limit) + skb->protocol = eth_type_trans(skb, dev); + napi_gro_receive(&priv->napi, skb); + dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ dev->stats.rx_bytes += len; + next: + pos = (pos + 1) % rxq->num; + if (rx_pkts_num >= limit) +-- +2.35.1 + diff --git a/queue-5.4/net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch b/queue-5.4/net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch new file mode 100644 index 00000000000..78ffc30ddf0 --- /dev/null +++ b/queue-5.4/net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch @@ -0,0 +1,37 @@ +From bb5216e1b9ee3b695e0631af87ca1d97b7691a55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 17:42:40 +0800 +Subject: net: hisilicon: Fix potential use-after-free in hix5hd2_rx() + +From: Liu Jian + +[ Upstream commit 433c07a13f59856e4585e89e86b7d4cc59348fab ] + +The skb is delivered to napi_gro_receive() which may free it, after +calling this, dereferencing skb may trigger use-after-free. + +Fixes: 57c5bc9ad7d7 ("net: hisilicon: add hix5hd2 mac driver") +Signed-off-by: Liu Jian +Link: https://lore.kernel.org/r/20221203094240.1240211-2-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hix5hd2_gmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c +index c41b19c760f8..645cae590dc4 100644 +--- a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c ++++ b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c +@@ -550,7 +550,7 @@ static int hix5hd2_rx(struct net_device *dev, int limit) + skb->protocol = eth_type_trans(skb, dev); + napi_gro_receive(&priv->napi, skb); + dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ dev->stats.rx_bytes += len; + next: + pos = dma_ring_incr(pos, RX_DESC_NUM); + } +-- +2.35.1 + diff --git a/queue-5.4/net-mvneta-fix-an-out-of-bounds-check.patch b/queue-5.4/net-mvneta-fix-an-out-of-bounds-check.patch new file mode 100644 index 00000000000..92534e1200d --- /dev/null +++ b/queue-5.4/net-mvneta-fix-an-out-of-bounds-check.patch @@ -0,0 +1,55 @@ +From 3aed06b3793df3f0ff014531c883e86d0679f154 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:06:31 +0300 +Subject: net: mvneta: Fix an out of bounds check + +From: Dan Carpenter + +[ Upstream commit cdd97383e19d4afe29adc3376025a15ae3bab3a3 ] + +In an earlier commit, I added a bounds check to prevent an out of bounds +read and a WARN(). On further discussion and consideration that check +was probably too aggressive. Instead of returning -EINVAL, a better fix +would be to just prevent the out of bounds read but continue the process. + +Background: The value of "pp->rxq_def" is a number between 0-7 by default, +or even higher depending on the value of "rxq_number", which is a module +parameter. If the value is more than the number of available CPUs then +it will trigger the WARN() in cpu_max_bits_warn(). + +Fixes: e8b4fc13900b ("net: mvneta: Prevent out of bounds read in mvneta_config_rss()") +Signed-off-by: Dan Carpenter +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/Y5A7d1E5ccwHTYPf@kadam +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 67ba697518d6..2c1ee3268498 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -3717,7 +3717,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp) + /* Use the cpu associated to the rxq when it is online, in all + * the other cases, use the cpu 0 which can't be offline. + */ +- if (cpu_online(pp->rxq_def)) ++ if (pp->rxq_def < nr_cpu_ids && cpu_online(pp->rxq_def)) + elected_cpu = pp->rxq_def; + + max_cpu = num_present_cpus(); +@@ -4235,9 +4235,6 @@ static int mvneta_config_rss(struct mvneta_port *pp) + napi_disable(&pp->napi); + } + +- if (pp->indir[0] >= nr_cpu_ids) +- return -EINVAL; +- + pp->rxq_def = pp->indir[0]; + + /* Update unicast mapping */ +-- +2.35.1 + diff --git a/queue-5.4/net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch b/queue-5.4/net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch new file mode 100644 index 00000000000..1a75f623b48 --- /dev/null +++ b/queue-5.4/net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch @@ -0,0 +1,41 @@ +From 8b1aecdadd2d7786f9e74144ea9e6323ebe7fe3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 12:58:26 +0300 +Subject: net: mvneta: Prevent out of bounds read in mvneta_config_rss() + +From: Dan Carpenter + +[ Upstream commit e8b4fc13900b8e8be48debffd0dfd391772501f7 ] + +The pp->indir[0] value comes from the user. It is passed to: + + if (cpu_online(pp->rxq_def)) + +inside the mvneta_percpu_elect() function. It needs bounds checkeding +to ensure that it is not beyond the end of the cpu bitmap. + +Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 64aa5510e61a..67ba697518d6 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -4235,6 +4235,9 @@ static int mvneta_config_rss(struct mvneta_port *pp) + napi_disable(&pp->napi); + } + ++ if (pp->indir[0] >= nr_cpu_ids) ++ return -EINVAL; ++ + pp->rxq_def = pp->indir[0]; + + /* Update unicast mapping */ +-- +2.35.1 + diff --git a/queue-5.4/net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch b/queue-5.4/net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch new file mode 100644 index 00000000000..6c8dcec487d --- /dev/null +++ b/queue-5.4/net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch @@ -0,0 +1,46 @@ +From eaa6b32ada6855946df673d926da18b500859056 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 09:53:10 +0800 +Subject: net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() + +From: Yang Yingliang + +[ Upstream commit 7d8c19bfc8ff3f78e5337107ca9246327fcb6b45 ] + +It is not allowed to call kfree_skb() or consume_skb() from +hardware interrupt context or with interrupts being disabled. +So replace kfree_skb/dev_kfree_skb() with dev_kfree_skb_irq() +and dev_consume_skb_irq() under spin_lock_irq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20221207015310.2984909-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/plip/plip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/plip/plip.c b/drivers/net/plip/plip.c +index e8b7d596d749..4b50c28f01a7 100644 +--- a/drivers/net/plip/plip.c ++++ b/drivers/net/plip/plip.c +@@ -444,12 +444,12 @@ plip_bh_timeout_error(struct net_device *dev, struct net_local *nl, + } + rcv->state = PLIP_PK_DONE; + if (rcv->skb) { +- kfree_skb(rcv->skb); ++ dev_kfree_skb_irq(rcv->skb); + rcv->skb = NULL; + } + snd->state = PLIP_PK_DONE; + if (snd->skb) { +- dev_kfree_skb(snd->skb); ++ dev_consume_skb_irq(snd->skb); + snd->skb = NULL; + } + spin_unlock_irq(&nl->lock); +-- +2.35.1 + diff --git a/queue-5.4/net-stmmac-fix-snps-axi-config-node-property-parsing.patch b/queue-5.4/net-stmmac-fix-snps-axi-config-node-property-parsing.patch new file mode 100644 index 00000000000..7928a913aae --- /dev/null +++ b/queue-5.4/net-stmmac-fix-snps-axi-config-node-property-parsing.patch @@ -0,0 +1,45 @@ +From a8ae35510f7d6249b0f4c02eca8165517b80abc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 00:17:39 +0800 +Subject: net: stmmac: fix "snps,axi-config" node property parsing + +From: Jisheng Zhang + +[ Upstream commit 61d4f140943c47c1386ed89f7260e00418dfad9d ] + +In dt-binding snps,dwmac.yaml, some properties under "snps,axi-config" +node are named without "axi_" prefix, but the driver expects the +prefix. Since the dt-binding has been there for a long time, we'd +better make driver match the binding for compatibility. + +Fixes: afea03656add ("stmmac: rework DMA bus setting and introduce new platform AXI structure") +Signed-off-by: Jisheng Zhang +Link: https://lore.kernel.org/r/20221202161739.2203-1-jszhang@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index 70cbf48c2c03..a2ff9b4727ec 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -107,10 +107,10 @@ static struct stmmac_axi *stmmac_axi_setup(struct platform_device *pdev) + + axi->axi_lpi_en = of_property_read_bool(np, "snps,lpi_en"); + axi->axi_xit_frm = of_property_read_bool(np, "snps,xit_frm"); +- axi->axi_kbbe = of_property_read_bool(np, "snps,axi_kbbe"); +- axi->axi_fb = of_property_read_bool(np, "snps,axi_fb"); +- axi->axi_mb = of_property_read_bool(np, "snps,axi_mb"); +- axi->axi_rb = of_property_read_bool(np, "snps,axi_rb"); ++ axi->axi_kbbe = of_property_read_bool(np, "snps,kbbe"); ++ axi->axi_fb = of_property_read_bool(np, "snps,fb"); ++ axi->axi_mb = of_property_read_bool(np, "snps,mb"); ++ axi->axi_rb = of_property_read_bool(np, "snps,rb"); + + if (of_property_read_u32(np, "snps,wr_osr_lmt", &axi->axi_wr_osr_lmt)) + axi->axi_wr_osr_lmt = 1; +-- +2.35.1 + diff --git a/queue-5.4/net-thunderx-fix-missing-destroy_workqueue-of-nicvf_.patch b/queue-5.4/net-thunderx-fix-missing-destroy_workqueue-of-nicvf_.patch new file mode 100644 index 00000000000..4f4ba02b59e --- /dev/null +++ b/queue-5.4/net-thunderx-fix-missing-destroy_workqueue-of-nicvf_.patch @@ -0,0 +1,47 @@ +From 5ffdd92645ca69de0050e8501885c0ce8f9d5024 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 09:41:25 +0000 +Subject: net: thunderx: Fix missing destroy_workqueue of nicvf_rx_mode_wq + +From: Yongqiang Liu + +[ Upstream commit 42330a32933fb42180c52022804dcf09f47a2f99 ] + +The nicvf_probe() won't destroy workqueue when register_netdev() +failed. Add destroy_workqueue err handle case to fix this issue. + +Fixes: 2ecbe4f4a027 ("net: thunderx: replace global nicvf_rx_mode_wq work queue for all VFs to private for each of them.") +Signed-off-by: Yongqiang Liu +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20221203094125.602812-1-liuyongqiang13@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index 27ea528ef448..e861567b2c49 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -2268,7 +2268,7 @@ static int nicvf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + err = register_netdev(netdev); + if (err) { + dev_err(dev, "Failed to register netdevice\n"); +- goto err_unregister_interrupts; ++ goto err_destroy_workqueue; + } + + nic->msg_enable = debug; +@@ -2277,6 +2277,8 @@ static int nicvf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + return 0; + ++err_destroy_workqueue: ++ destroy_workqueue(nic->nicvf_rx_mode_wq); + err_unregister_interrupts: + nicvf_unregister_interrupts(nic); + err_free_netdev: +-- +2.35.1 + diff --git a/queue-5.4/nfc-nci-bounds-check-struct-nfc_target-arrays.patch b/queue-5.4/nfc-nci-bounds-check-struct-nfc_target-arrays.patch new file mode 100644 index 00000000000..935cf66e89d --- /dev/null +++ b/queue-5.4/nfc-nci-bounds-check-struct-nfc_target-arrays.patch @@ -0,0 +1,62 @@ +From f0ec82f9845efde183a8403ab5c89710f7d0a68f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 13:44:14 -0800 +Subject: NFC: nci: Bounds check struct nfc_target arrays + +From: Kees Cook + +[ Upstream commit e329e71013c9b5a4535b099208493c7826ee4a64 ] + +While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported: + + memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18) + +This appears to be a legitimate lack of bounds checking in +nci_add_new_protocol(). Add the missing checks. + +Reported-by: syzbot+210e196cef4711b65139@syzkaller.appspotmail.com +Link: https://lore.kernel.org/lkml/0000000000001c590f05ee7b3ff4@google.com +Fixes: 019c4fbaa790 ("NFC: Add NCI multiple targets support") +Signed-off-by: Kees Cook +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20221202214410.never.693-kees@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/nci/ntf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c +index 33e1170817f0..f8b20cddd5c9 100644 +--- a/net/nfc/nci/ntf.c ++++ b/net/nfc/nci/ntf.c +@@ -218,6 +218,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + target->sens_res = nfca_poll->sens_res; + target->sel_res = nfca_poll->sel_res; + target->nfcid1_len = nfca_poll->nfcid1_len; ++ if (target->nfcid1_len > ARRAY_SIZE(target->nfcid1)) ++ return -EPROTO; + if (target->nfcid1_len > 0) { + memcpy(target->nfcid1, nfca_poll->nfcid1, + target->nfcid1_len); +@@ -226,6 +228,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params; + + target->sensb_res_len = nfcb_poll->sensb_res_len; ++ if (target->sensb_res_len > ARRAY_SIZE(target->sensb_res)) ++ return -EPROTO; + if (target->sensb_res_len > 0) { + memcpy(target->sensb_res, nfcb_poll->sensb_res, + target->sensb_res_len); +@@ -234,6 +238,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params; + + target->sensf_res_len = nfcf_poll->sensf_res_len; ++ if (target->sensf_res_len > ARRAY_SIZE(target->sensf_res)) ++ return -EPROTO; + if (target->sensf_res_len > 0) { + memcpy(target->sensf_res, nfcf_poll->sensf_res, + target->sensf_res_len); +-- +2.35.1 + diff --git a/queue-5.4/nvme-initialize-core-quirks-before-calling-nvme_init.patch b/queue-5.4/nvme-initialize-core-quirks-before-calling-nvme_init.patch new file mode 100644 index 00000000000..b8ef397177f --- /dev/null +++ b/queue-5.4/nvme-initialize-core-quirks-before-calling-nvme_init.patch @@ -0,0 +1,57 @@ +From 5ea7410cc8e9e2c9aa2ba1808eab82deedbde6b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 13:52:34 +0100 +Subject: nvme initialize core quirks before calling nvme_init_subsystem + +From: Pankaj Raghav + +[ Upstream commit 6f2d71524bcfdeb1fcbd22a4a92a5b7b161ab224 ] + +A device might have a core quirk for NVME_QUIRK_IGNORE_DEV_SUBNQN +(such as Samsung X5) but it would still give a: + + "missing or invalid SUBNQN field" + +warning as core quirks are filled after calling nvme_init_subnqn. Fill +ctrl->quirks from struct core_quirks before calling nvme_init_subsystem +to fix this. + +Tested on a Samsung X5. + +Fixes: ab9e00cc72fa ("nvme: track subsystems") +Signed-off-by: Pankaj Raghav +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 3b5e5fb158be..029a89aead53 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2806,10 +2806,6 @@ int nvme_init_identify(struct nvme_ctrl *ctrl) + if (!ctrl->identified) { + int i; + +- ret = nvme_init_subsystem(ctrl, id); +- if (ret) +- goto out_free; +- + /* + * Check for quirks. Quirk can depend on firmware version, + * so, in principle, the set of quirks present can change +@@ -2822,6 +2818,10 @@ int nvme_init_identify(struct nvme_ctrl *ctrl) + if (quirk_matches(id, &core_quirks[i])) + ctrl->quirks |= core_quirks[i].quirks; + } ++ ++ ret = nvme_init_subsystem(ctrl, id); ++ if (ret) ++ goto out_free; + } + memcpy(ctrl->subsys->firmware_rev, id->fr, + sizeof(ctrl->subsys->firmware_rev)); +-- +2.35.1 + diff --git a/queue-5.4/selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch b/queue-5.4/selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch new file mode 100644 index 00000000000..e0a0e39e9f1 --- /dev/null +++ b/queue-5.4/selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch @@ -0,0 +1,41 @@ +From fe9b1e91817caacbb8e441c18ea003d09c5f7ae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 16:22:46 +0800 +Subject: selftests: rtnetlink: correct xfrm policy rule in + kci_test_ipsec_offload + +From: Zhengchao Shao + +[ Upstream commit 85a0506c073332a3057f5a9635fa0d4db5a8e03b ] + +When testing in kci_test_ipsec_offload, srcip is configured as $dstip, +it should add xfrm policy rule in instead of out. +The test result of this patch is as follows: +PASS: ipsec_offload + +Fixes: 2766a11161cc ("selftests: rtnetlink: add ipsec offload API test") +Signed-off-by: Zhengchao Shao +Acked-by: Hangbin Liu +Link: https://lore.kernel.org/r/20221201082246.14131-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/rtnetlink.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh +index 28ea3753da20..911c549f186f 100755 +--- a/tools/testing/selftests/net/rtnetlink.sh ++++ b/tools/testing/selftests/net/rtnetlink.sh +@@ -780,7 +780,7 @@ kci_test_ipsec_offload() + tmpl proto esp src $srcip dst $dstip spi 9 \ + mode transport reqid 42 + check_err $? +- ip x p add dir out src $dstip/24 dst $srcip/24 \ ++ ip x p add dir in src $dstip/24 dst $srcip/24 \ + tmpl proto esp src $dstip dst $srcip spi 9 \ + mode transport reqid 42 + check_err $? +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 9924f07fd41..448ab006035 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -30,3 +30,37 @@ hid-usbhid-add-always_poll-quirk-for-some-mice.patch hid-hid-lg4ff-add-check-for-empty-lbuf.patch hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch +ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch +ca8210-fix-crash-by-zero-initializing-data.patch +drm-bridge-ti-sn65dsi86-fix-output-polarity-setting-.patch +gpio-amd8111-fix-pci-device-reference-count-leak.patch +e1000e-fix-tx-dispatch-condition.patch +igb-allocate-msi-x-vector-when-testing.patch +af_unix-get-user_ns-from-in_skb-in-unix_diag_get_exa.patch +bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch +bluetooth-fix-not-cleanup-led-when-bt_init-fails.patch +net-dsa-ksz-check-return-value.patch +selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch +mac802154-fix-missing-init_list_head-in-ieee802154_i.patch +net-encx24j600-add-parentheses-to-fix-precedence.patch +net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch +xen-netfront-fix-null-sring-after-live-migration.patch +net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch +i40e-fix-not-setting-default-xps_cpus-after-reset.patch +i40e-fix-for-vf-mac-address-0.patch +i40e-disallow-ip4-and-ip6-l4_4_bytes.patch +nfc-nci-bounds-check-struct-nfc_target-arrays.patch +nvme-initialize-core-quirks-before-calling-nvme_init.patch +net-stmmac-fix-snps-axi-config-node-property-parsing.patch +net-thunderx-fix-missing-destroy_workqueue-of-nicvf_.patch +net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch +net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch +tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch +ipv4-fix-incorrect-route-flushing-when-source-addres.patch +ipv4-fix-incorrect-route-flushing-when-table-id-0-is.patch +ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch +xen-netback-fix-build-warning.patch +net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch +ipv6-avoid-use-after-free-in-ip6_fragment.patch +net-mvneta-fix-an-out-of-bounds-check.patch +can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch diff --git a/queue-5.4/tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch b/queue-5.4/tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch new file mode 100644 index 00000000000..cd09f46f112 --- /dev/null +++ b/queue-5.4/tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch @@ -0,0 +1,39 @@ +From a908d4ed22c5725888df3f9696b616e387ff16c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 17:46:35 +0800 +Subject: tipc: Fix potential OOB in tipc_link_proto_rcv() + +From: YueHaibing + +[ Upstream commit 743117a997bbd4840e827295c07e59bcd7f7caa3 ] + +Fix the potential risk of OOB if skb_linearize() fails in +tipc_link_proto_rcv(). + +Fixes: 5cbb28a4bf65 ("tipc: linearize arriving NAME_DISTR and LINK_PROTO buffers") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20221203094635.29024-1-yuehaibing@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/link.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/link.c b/net/tipc/link.c +index 8f2ee71c63c6..b653d16ab21f 100644 +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -1971,7 +1971,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + if (tipc_own_addr(l->net) > msg_prevnode(hdr)) + l->net_plane = msg_net_plane(hdr); + +- skb_linearize(skb); ++ if (skb_linearize(skb)) ++ goto exit; ++ + hdr = buf_msg(skb); + data = msg_data(hdr); + +-- +2.35.1 + diff --git a/queue-5.4/xen-netback-fix-build-warning.patch b/queue-5.4/xen-netback-fix-build-warning.patch new file mode 100644 index 00000000000..4dc32317ad3 --- /dev/null +++ b/queue-5.4/xen-netback-fix-build-warning.patch @@ -0,0 +1,40 @@ +From b47451d23fde3295e4d031e315b80f04e5060e80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 08:19:38 +0100 +Subject: xen/netback: fix build warning + +From: Juergen Gross + +[ Upstream commit 7dfa764e0223a324366a2a1fc056d4d9d4e95491 ] + +Commit ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in +the non-linear area") introduced a (valid) build warning. There have +even been reports of this problem breaking networking of Xen guests. + +Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area") +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Reviewed-by: Ross Lagerwall +Tested-by: Jason Andryuk +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/netback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 982e501173f1..036459670fc3 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -523,7 +523,7 @@ static int xenvif_tx_check_gop(struct xenvif_queue *queue, + const bool sharedslot = nr_frags && + frag_get_pending_idx(&shinfo->frags[0]) == + copy_pending_idx(skb, copy_count(skb) - 1); +- int i, err; ++ int i, err = 0; + + for (i = 0; i < copy_count(skb); i++) { + int newerr; +-- +2.35.1 + diff --git a/queue-5.4/xen-netfront-fix-null-sring-after-live-migration.patch b/queue-5.4/xen-netfront-fix-null-sring-after-live-migration.patch new file mode 100644 index 00000000000..cbc1c5b918e --- /dev/null +++ b/queue-5.4/xen-netfront-fix-null-sring-after-live-migration.patch @@ -0,0 +1,86 @@ +From a93e84abca951789f99b176535218d5e92b959fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 08:52:48 +0000 +Subject: xen-netfront: Fix NULL sring after live migration + +From: Lin Liu + +[ Upstream commit d50b7914fae04d840ce36491d22133070b18cca9 ] + +A NAPI is setup for each network sring to poll data to kernel +The sring with source host is destroyed before live migration and +new sring with target host is setup after live migration. +The NAPI for the old sring is not deleted until setup new sring +with target host after migration. With busy_poll/busy_read enabled, +the NAPI can be polled before got deleted when resume VM. + +BUG: unable to handle kernel NULL pointer dereference at +0000000000000008 +IP: xennet_poll+0xae/0xd20 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP PTI +Call Trace: + finish_task_switch+0x71/0x230 + timerqueue_del+0x1d/0x40 + hrtimer_try_to_cancel+0xb5/0x110 + xennet_alloc_rx_buffers+0x2a0/0x2a0 + napi_busy_loop+0xdb/0x270 + sock_poll+0x87/0x90 + do_sys_poll+0x26f/0x580 + tracing_map_insert+0x1d4/0x2f0 + event_hist_trigger+0x14a/0x260 + + finish_task_switch+0x71/0x230 + __schedule+0x256/0x890 + recalc_sigpending+0x1b/0x50 + xen_sched_clock+0x15/0x20 + __rb_reserve_next+0x12d/0x140 + ring_buffer_lock_reserve+0x123/0x3d0 + event_triggers_call+0x87/0xb0 + trace_event_buffer_commit+0x1c4/0x210 + xen_clocksource_get_cycles+0x15/0x20 + ktime_get_ts64+0x51/0xf0 + SyS_ppoll+0x160/0x1a0 + SyS_ppoll+0x160/0x1a0 + do_syscall_64+0x73/0x130 + entry_SYSCALL_64_after_hwframe+0x41/0xa6 +... +RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900 +CR2: 0000000000000008 +---[ end trace f8601785b354351c ]--- + +xen frontend should remove the NAPIs for the old srings before live +migration as the bond srings are destroyed + +There is a tiny window between the srings are set to NULL and +the NAPIs are disabled, It is safe as the NAPI threads are still +frozen at that time + +Signed-off-by: Lin Liu +Fixes: 4ec2411980d0 ([NET]: Do not check netif_running() and carrier state in ->poll()) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netfront.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 810fa9968be7..9ae0903bc225 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1621,6 +1621,12 @@ static int netfront_resume(struct xenbus_device *dev) + netif_tx_unlock_bh(info->netdev); + + xennet_disconnect_backend(info); ++ ++ rtnl_lock(); ++ if (info->queues) ++ xennet_destroy_queues(info); ++ rtnl_unlock(); ++ + return 0; + } + +-- +2.35.1 +