From: Sasha Levin Date: Sat, 4 Jan 2025 14:21:15 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v5.4.289~53 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3198de6e69fa0e66f617013067c59426d7c180ef;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch b/queue-5.4/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch new file mode 100644 index 00000000000..bd53e496b13 --- /dev/null +++ b/queue-5.4/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch @@ -0,0 +1,149 @@ +From 99c1f95f1481bcaebb57b0f1e953bb55b56efa96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 16:10:04 +0000 +Subject: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK + +From: Eric Dumazet + +[ Upstream commit f91a5b8089389eb408501af2762f168c3aaa7b79 ] + +Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found +by syzbot. + +Rework vlan_get_protocol_dgram() to not touch skb at all, +so that it can be used from many cpus on the same skb. + +Add a const qualifier to skb argument. + +[1] +skbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev: +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:206 ! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] + RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 +Code: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 +RSP: 0018:ffffc900038d7638 EFLAGS: 00010282 +RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600 +RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 +RBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60 +R10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140 +R13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011 +FS: 00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + skb_push+0xe5/0x100 net/core/skbuff.c:2636 + vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585 + packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552 + sock_recvmsg_nosec net/socket.c:1033 [inline] + sock_recvmsg+0x22f/0x280 net/socket.c:1055 + ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803 + ___sys_recvmsg net/socket.c:2845 [inline] + do_recvmmsg+0x426/0xab0 net/socket.c:2940 + __sys_recvmmsg net/socket.c:3014 [inline] + __do_sys_recvmmsg net/socket.c:3037 [inline] + __se_sys_recvmmsg net/socket.c:3030 [inline] + __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading") +Reported-by: syzbot+74f70bb1cb968bf09e4f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c5.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Chengen Du +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20241230161004.2681892-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/if_vlan.h | 16 +++++++++++++--- + net/packet/af_packet.c | 16 ++++------------ + 2 files changed, 17 insertions(+), 15 deletions(-) + +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index 4e7e72f3da5b..b3dae069bcd9 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -574,13 +574,16 @@ static inline int vlan_get_tag(const struct sk_buff *skb, u16 *vlan_tci) + * vlan_get_protocol - get protocol EtherType. + * @skb: skbuff to query + * @type: first vlan protocol ++ * @mac_offset: MAC offset + * @depth: buffer to store length of eth and vlan tags in bytes + * + * Returns the EtherType of the packet, regardless of whether it is + * vlan encapsulated (normal or hardware accelerated) or not. + */ +-static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, +- int *depth) ++static inline __be16 __vlan_get_protocol_offset(const struct sk_buff *skb, ++ __be16 type, ++ int mac_offset, ++ int *depth) + { + unsigned int vlan_depth = skb->mac_len, parse_depth = VLAN_MAX_DEPTH; + +@@ -599,7 +602,8 @@ static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, + do { + struct vlan_hdr vhdr, *vh; + +- vh = skb_header_pointer(skb, vlan_depth, sizeof(vhdr), &vhdr); ++ vh = skb_header_pointer(skb, mac_offset + vlan_depth, ++ sizeof(vhdr), &vhdr); + if (unlikely(!vh || !--parse_depth)) + return 0; + +@@ -614,6 +618,12 @@ static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, + return type; + } + ++static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, ++ int *depth) ++{ ++ return __vlan_get_protocol_offset(skb, type, 0, depth); ++} ++ + /** + * vlan_get_protocol - get protocol EtherType. + * @skb: skbuff to query +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 4938926137b2..b1cf6a069e63 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -522,21 +522,13 @@ static u16 vlan_get_tci(const struct sk_buff *skb, struct net_device *dev) + return ntohs(vh->h_vlan_TCI); + } + +-static __be16 vlan_get_protocol_dgram(struct sk_buff *skb) ++static __be16 vlan_get_protocol_dgram(const struct sk_buff *skb) + { + __be16 proto = skb->protocol; + +- if (unlikely(eth_type_vlan(proto))) { +- u8 *skb_orig_data = skb->data; +- int skb_orig_len = skb->len; +- +- skb_push(skb, skb->data - skb_mac_header(skb)); +- proto = __vlan_get_protocol(skb, proto, NULL); +- if (skb_orig_data != skb->data) { +- skb->data = skb_orig_data; +- skb->len = skb_orig_len; +- } +- } ++ if (unlikely(eth_type_vlan(proto))) ++ proto = __vlan_get_protocol_offset(skb, proto, ++ skb_mac_offset(skb), NULL); + + return proto; + } +-- +2.39.5 + diff --git a/queue-5.4/af_packet-fix-vlan_get_tci-vs-msg_peek.patch b/queue-5.4/af_packet-fix-vlan_get_tci-vs-msg_peek.patch new file mode 100644 index 00000000000..9cff69f58d8 --- /dev/null +++ b/queue-5.4/af_packet-fix-vlan_get_tci-vs-msg_peek.patch @@ -0,0 +1,102 @@ +From d2f56827f5fd50a30aca21c01e47cac437e3b56c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 16:10:03 +0000 +Subject: af_packet: fix vlan_get_tci() vs MSG_PEEK + +From: Eric Dumazet + +[ Upstream commit 77ee7a6d16b6ec07b5c3ae2b6b60a24c1afbed09 ] + +Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found +by syzbot. + +Rework vlan_get_tci() to not touch skb at all, +so that it can be used from many cpus on the same skb. + +Add a const qualifier to skb argument. + +[1] +skbuff: skb_under_panic: text:ffffffff8a8da482 len:32 put:14 head:ffff88807a1d5800 data:ffff88807a1d5810 tail:0x14 end:0x140 dev: +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:206 ! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 0 UID: 0 PID: 5880 Comm: syz-executor172 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] + RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 +Code: 0b 8d 48 c7 c6 9e 6c 26 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 3a 5a 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 +RSP: 0018:ffffc90003baf5b8 EFLAGS: 00010286 +RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 8565c1eec37aa000 +RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 +RBP: ffff88802616fb50 R08: ffffffff817f0a4c R09: 1ffff92000775e50 +R10: dffffc0000000000 R11: fffff52000775e51 R12: 0000000000000140 +R13: ffff88807a1d5800 R14: ffff88807a1d5810 R15: 0000000000000014 +FS: 00007fa03261f6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd65753000 CR3: 0000000031720000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + skb_push+0xe5/0x100 net/core/skbuff.c:2636 + vlan_get_tci+0x272/0x550 net/packet/af_packet.c:565 + packet_recvmsg+0x13c9/0x1ef0 net/packet/af_packet.c:3616 + sock_recvmsg_nosec net/socket.c:1044 [inline] + sock_recvmsg+0x22f/0x280 net/socket.c:1066 + ____sys_recvmsg+0x1c6/0x480 net/socket.c:2814 + ___sys_recvmsg net/socket.c:2856 [inline] + do_recvmmsg+0x426/0xab0 net/socket.c:2951 + __sys_recvmmsg net/socket.c:3025 [inline] + __do_sys_recvmmsg net/socket.c:3048 [inline] + __se_sys_recvmmsg net/socket.c:3041 [inline] + __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3041 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + +Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading") +Reported-by: syzbot+8400677f3fd43f37d3bc@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c6.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Chengen Du +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20241230161004.2681892-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 88bc4a21dda4..4938926137b2 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -492,10 +492,8 @@ static void *packet_current_frame(struct packet_sock *po, + return packet_lookup_frame(po, rb, rb->head, status); + } + +-static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev) ++static u16 vlan_get_tci(const struct sk_buff *skb, struct net_device *dev) + { +- u8 *skb_orig_data = skb->data; +- int skb_orig_len = skb->len; + struct vlan_hdr vhdr, *vh; + unsigned int header_len; + +@@ -516,12 +514,8 @@ static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev) + else + return 0; + +- skb_push(skb, skb->data - skb_mac_header(skb)); +- vh = skb_header_pointer(skb, header_len, sizeof(vhdr), &vhdr); +- if (skb_orig_data != skb->data) { +- skb->data = skb_orig_data; +- skb->len = skb_orig_len; +- } ++ vh = skb_header_pointer(skb, skb_mac_offset(skb) + header_len, ++ sizeof(vhdr), &vhdr); + if (unlikely(!vh)) + return 0; + +-- +2.39.5 + diff --git a/queue-5.4/alsa-usb-audio-us16x08-initialize-array-before-use.patch b/queue-5.4/alsa-usb-audio-us16x08-initialize-array-before-use.patch new file mode 100644 index 00000000000..f7048f6be7a --- /dev/null +++ b/queue-5.4/alsa-usb-audio-us16x08-initialize-array-before-use.patch @@ -0,0 +1,43 @@ +From ad34257a12d173ca02b6af894e22b30310c9074e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Dec 2024 11:32:42 +0530 +Subject: ALSA: usb-audio: US16x08: Initialize array before use + +From: Tanya Agarwal + +[ Upstream commit b06a6187ef983f501e93faa56209169752d3bde3 ] + +Initialize meter_urb array before use in mixer_us16x08.c. + +CID 1410197: (#1 of 1): Uninitialized scalar variable (UNINIT) +uninit_use_in_call: Using uninitialized value *meter_urb when +calling get_meter_levels_from_urb. + +Coverity Link: +https://scan7.scan.coverity.com/#/project-view/52849/11354?selectedIssue=1410197 + +Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk") +Signed-off-by: Tanya Agarwal +Link: https://patch.msgid.link/20241229060240.1642-1-tanyaagarwal25699@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_us16x08.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c +index c6c834ac83ac..eb59a59dcdbf 100644 +--- a/sound/usb/mixer_us16x08.c ++++ b/sound/usb/mixer_us16x08.c +@@ -687,7 +687,7 @@ static int snd_us16x08_meter_get(struct snd_kcontrol *kcontrol, + struct usb_mixer_elem_info *elem = kcontrol->private_data; + struct snd_usb_audio *chip = elem->head.mixer->chip; + struct snd_us16x08_meter_store *store = elem->private_data; +- u8 meter_urb[64]; ++ u8 meter_urb[64] = {0}; + + switch (kcontrol->private_value) { + case 0: { +-- +2.39.5 + diff --git a/queue-5.4/drm-bridge-adv7511-enable-spdif-dai.patch b/queue-5.4/drm-bridge-adv7511-enable-spdif-dai.patch new file mode 100644 index 00000000000..067c7890cc6 --- /dev/null +++ b/queue-5.4/drm-bridge-adv7511-enable-spdif-dai.patch @@ -0,0 +1,69 @@ +From d6e80b9315719d2f70ed393c78c025970c2d5abb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Apr 2020 14:35:07 +0300 +Subject: drm: bridge: adv7511: Enable SPDIF DAI + +From: Bogdan Togorean + +[ Upstream commit f7f436b99364a3904387eba613fc69853cc2f220 ] + +ADV7511 support I2S or SPDIF as audio input interfaces. This commit +enable support for SPDIF. + +Signed-off-by: Bogdan Togorean +Reviewed-by: Andrzej Hajda +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/20200413113513.86091-1-bogdan.togorean@analog.com +Stable-dep-of: 902806baf3c1 ("drm/bridge: adv7511_audio: Update Audio InfoFrame properly") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c +index d05b3033b510..f101dd2819b5 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c +@@ -121,6 +121,9 @@ int adv7511_hdmi_hw_params(struct device *dev, void *data, + audio_source = ADV7511_AUDIO_SOURCE_I2S; + i2s_format = ADV7511_I2S_FORMAT_LEFT_J; + break; ++ case HDMI_SPDIF: ++ audio_source = ADV7511_AUDIO_SOURCE_SPDIF; ++ break; + default: + return -EINVAL; + } +@@ -177,11 +180,21 @@ static int audio_startup(struct device *dev, void *data) + /* use Audio infoframe updated info */ + regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(1), + BIT(5), 0); ++ /* enable SPDIF receiver */ ++ if (adv7511->audio_source == ADV7511_AUDIO_SOURCE_SPDIF) ++ regmap_update_bits(adv7511->regmap, ADV7511_REG_AUDIO_CONFIG, ++ BIT(7), BIT(7)); ++ + return 0; + } + + static void audio_shutdown(struct device *dev, void *data) + { ++ struct adv7511 *adv7511 = dev_get_drvdata(dev); ++ ++ if (adv7511->audio_source == ADV7511_AUDIO_SOURCE_SPDIF) ++ regmap_update_bits(adv7511->regmap, ADV7511_REG_AUDIO_CONFIG, ++ BIT(7), 0); + } + + static int adv7511_hdmi_i2s_get_dai_id(struct snd_soc_component *component, +@@ -215,6 +228,7 @@ static const struct hdmi_codec_pdata codec_data = { + .ops = &adv7511_codec_ops, + .max_i2s_channels = 2, + .i2s = 1, ++ .spdif = 1, + }; + + int adv7511_audio_init(struct device *dev, struct adv7511 *adv7511) +-- +2.39.5 + diff --git a/queue-5.4/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch b/queue-5.4/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch new file mode 100644 index 00000000000..0bb080cc2b5 --- /dev/null +++ b/queue-5.4/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch @@ -0,0 +1,74 @@ +From 781bf7474b9bc59be28292a1bd9c7351805eff0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 08:40:29 +0100 +Subject: drm/bridge: adv7511_audio: Update Audio InfoFrame properly + +From: Stefan Ekenberg + +[ Upstream commit 902806baf3c1e8383c1fe3ff0b6042b8cb5c2707 ] + +AUDIO_UPDATE bit (Bit 5 of MAIN register 0x4A) needs to be set to 1 +while updating Audio InfoFrame information and then set to 0 when done. +Otherwise partially updated Audio InfoFrames could be sent out. Two +cases where this rule were not followed are fixed: + - In adv7511_hdmi_hw_params() make sure AUDIO_UPDATE bit is updated + before/after setting ADV7511_REG_AUDIO_INFOFRAME. + - In audio_startup() use the correct register for clearing + AUDIO_UPDATE bit. + +The problem with corrupted audio infoframes were discovered by letting +a HDMI logic analyser check the output of ADV7535. + +Note that this patchs replaces writing REG_GC(1) with +REG_INFOFRAME_UPDATE. Bit 5 of REG_GC(1) is positioned within field +GC_PP[3:0] and that field doesn't control audio infoframe and is read- +only. My conclusion therefore was that the author if this code meant to +clear bit 5 of REG_INFOFRAME_UPDATE from the very beginning. + +Tested-by: Biju Das +Fixes: 53c515befe28 ("drm/bridge: adv7511: Add Audio support") +Signed-off-by: Stefan Ekenberg +Reviewed-by: Dmitry Baryshkov +Link: https://patchwork.freedesktop.org/patch/msgid/20241119-adv7511-audio-info-frame-v4-1-4ae68e76c89c@axis.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c +index f101dd2819b5..0a1ac11e2e4f 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c +@@ -147,7 +147,16 @@ int adv7511_hdmi_hw_params(struct device *dev, void *data, + ADV7511_AUDIO_CFG3_LEN_MASK, len); + regmap_update_bits(adv7511->regmap, ADV7511_REG_I2C_FREQ_ID_CFG, + ADV7511_I2C_FREQ_ID_CFG_RATE_MASK, rate << 4); +- regmap_write(adv7511->regmap, 0x73, 0x1); ++ ++ /* send current Audio infoframe values while updating */ ++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE, ++ BIT(5), BIT(5)); ++ ++ regmap_write(adv7511->regmap, ADV7511_REG_AUDIO_INFOFRAME(0), 0x1); ++ ++ /* use Audio infoframe updated info */ ++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE, ++ BIT(5), 0); + + return 0; + } +@@ -178,8 +187,9 @@ static int audio_startup(struct device *dev, void *data) + regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(0), + BIT(7) | BIT(6), BIT(7)); + /* use Audio infoframe updated info */ +- regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(1), ++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE, + BIT(5), 0); ++ + /* enable SPDIF receiver */ + if (adv7511->audio_source == ADV7511_AUDIO_SOURCE_SPDIF) + regmap_update_bits(adv7511->regmap, ADV7511_REG_AUDIO_CONFIG, +-- +2.39.5 + diff --git a/queue-5.4/ib-mlx5-introduce-and-use-mlx5_core_is_vf.patch b/queue-5.4/ib-mlx5-introduce-and-use-mlx5_core_is_vf.patch new file mode 100644 index 00000000000..6cd85858c50 --- /dev/null +++ b/queue-5.4/ib-mlx5-introduce-and-use-mlx5_core_is_vf.patch @@ -0,0 +1,57 @@ +From 141c1fe31feaf455ef8446df7d90fb38625bdb31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Oct 2019 23:35:30 +0000 +Subject: IB/mlx5: Introduce and use mlx5_core_is_vf() + +From: Parav Pandit + +[ Upstream commit e53a9d26cf80565cfb7172fc52a0dfac73613a0f ] + +Instead of deciding a given device is virtual function or +not based on a device is PF or not, use already defined +MLX5_COREDEV_VF by introducing an helper API mlx5_core_is_vf(). + +This enables to clearly identify PF, VF and non virtual functions. + +Signed-off-by: Parav Pandit +Reviewed-by: Vu Pham +Signed-off-by: Saeed Mahameed +Stable-dep-of: e05feab22fd7 ("RDMA/mlx5: Enforce same type port association for multiport RoCE") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 2 +- + include/linux/mlx5/driver.h | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 6698032af87d..5e00acb9bb31 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -1034,7 +1034,7 @@ static int mlx5_ib_query_device(struct ib_device *ibdev, + if (MLX5_CAP_GEN(mdev, cd)) + props->device_cap_flags |= IB_DEVICE_CROSS_CHANNEL; + +- if (!mlx5_core_is_pf(mdev)) ++ if (mlx5_core_is_vf(mdev)) + props->device_cap_flags |= IB_DEVICE_VIRTUAL_FUNCTION; + + if (mlx5_ib_port_link_layer(ibdev, 1) == +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 18fd0a030584..9744d9a2d71e 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -1132,6 +1132,11 @@ static inline bool mlx5_core_is_pf(const struct mlx5_core_dev *dev) + return dev->coredev_type == MLX5_COREDEV_PF; + } + ++static inline bool mlx5_core_is_vf(const struct mlx5_core_dev *dev) ++{ ++ return dev->coredev_type == MLX5_COREDEV_VF; ++} ++ + static inline bool mlx5_core_is_ecpf(struct mlx5_core_dev *dev) + { + return dev->caps.embedded_cpu; +-- +2.39.5 + diff --git a/queue-5.4/ila-serialize-calls-to-nf_register_net_hooks.patch b/queue-5.4/ila-serialize-calls-to-nf_register_net_hooks.patch new file mode 100644 index 00000000000..49e6d2c3580 --- /dev/null +++ b/queue-5.4/ila-serialize-calls-to-nf_register_net_hooks.patch @@ -0,0 +1,113 @@ +From e9cf36dcde7d7bf24a3941e426aafb379084fcf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 16:28:49 +0000 +Subject: ila: serialize calls to nf_register_net_hooks() + +From: Eric Dumazet + +[ Upstream commit 260466b576bca0081a7d4acecc8e93687aa22d0e ] + +syzbot found a race in ila_add_mapping() [1] + +commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") +attempted to fix a similar issue. + +Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands. + +Add a mutex to make sure at most one thread is calling nf_register_net_hooks(). + +[1] + BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] + BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 +Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501 + +CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xc3/0x620 mm/kasan/report.c:489 + kasan_report+0xd9/0x110 mm/kasan/report.c:602 + rht_key_hashfn include/linux/rhashtable.h:159 [inline] + __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 + rhashtable_lookup include/linux/rhashtable.h:646 [inline] + rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] + ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] + ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] + ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 + nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 + NF_HOOK include/linux/netfilter.h:312 [inline] + ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 + __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 + __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 + process_backlog+0x443/0x15f0 net/core/dev.c:6117 + __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 + napi_poll net/core/dev.c:6952 [inline] + net_rx_action+0xa94/0x1010 net/core/dev.c:7074 + handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 + __do_softirq kernel/softirq.c:595 [inline] + invoke_softirq kernel/softirq.c:435 [inline] + __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] + sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049 + +Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility") +Reported-by: syzbot+47e761d22ecf745f72b9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6772c9ae.050a0220.2f3838.04c7.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Florian Westphal +Cc: Tom Herbert +Link: https://patch.msgid.link/20241230162849.2795486-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ila/ila_xlat.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/ila/ila_xlat.c b/net/ipv6/ila/ila_xlat.c +index 1a0f580da652..5ca527110d02 100644 +--- a/net/ipv6/ila/ila_xlat.c ++++ b/net/ipv6/ila/ila_xlat.c +@@ -201,6 +201,8 @@ static const struct nf_hook_ops ila_nf_hook_ops[] = { + }, + }; + ++static DEFINE_MUTEX(ila_mutex); ++ + static int ila_add_mapping(struct net *net, struct ila_xlat_params *xp) + { + struct ila_net *ilan = net_generic(net, ila_net_id); +@@ -208,16 +210,20 @@ static int ila_add_mapping(struct net *net, struct ila_xlat_params *xp) + spinlock_t *lock = ila_get_lock(ilan, xp->ip.locator_match); + int err = 0, order; + +- if (!ilan->xlat.hooks_registered) { ++ if (!READ_ONCE(ilan->xlat.hooks_registered)) { + /* We defer registering net hooks in the namespace until the + * first mapping is added. + */ +- err = nf_register_net_hooks(net, ila_nf_hook_ops, +- ARRAY_SIZE(ila_nf_hook_ops)); ++ mutex_lock(&ila_mutex); ++ if (!ilan->xlat.hooks_registered) { ++ err = nf_register_net_hooks(net, ila_nf_hook_ops, ++ ARRAY_SIZE(ila_nf_hook_ops)); ++ if (!err) ++ WRITE_ONCE(ilan->xlat.hooks_registered, true); ++ } ++ mutex_unlock(&ila_mutex); + if (err) + return err; +- +- ilan->xlat.hooks_registered = true; + } + + ila = kzalloc(sizeof(*ila), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-5.4/net-llc-reset-skb-transport_header.patch b/queue-5.4/net-llc-reset-skb-transport_header.patch new file mode 100644 index 00000000000..cc14c8723f9 --- /dev/null +++ b/queue-5.4/net-llc-reset-skb-transport_header.patch @@ -0,0 +1,62 @@ +From 745f93d1576527297dd4cff91d64a33d44ed6a33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Dec 2024 20:07:20 -0500 +Subject: net: llc: reset skb->transport_header + +From: Antonio Pastor + +[ Upstream commit a024e377efed31ecfb39210bed562932321345b3 ] + +802.2+LLC+SNAP frames received by napi_complete_done with GRO and DSA +have skb->transport_header set two bytes short, or pointing 2 bytes +before network_header & skb->data. As snap_rcv expects transport_header +to point to SNAP header (OID:PID) after LLC processing advances offset +over LLC header (llc_rcv & llc_fixup_skb), code doesn't find a match +and packet is dropped. + +Between napi_complete_done and snap_rcv, transport_header is not used +until __netif_receive_skb_core, where originally it was being reset. +Commit fda55eca5a33 ("net: introduce skb_transport_header_was_set()") +only does so if not set, on the assumption the value was set correctly +by GRO (and also on assumption that "network stacks usually reset the +transport header anyway"). Afterwards it is moved forward by +llc_fixup_skb. + +Locally generated traffic shows up at __netif_receive_skb_core with no +transport_header set and is processed without issue. On a setup with +GRO but no DSA, transport_header and network_header are both set to +point to skb->data which is also correct. + +As issue is LLC specific, to avoid impacting non-LLC traffic, and to +follow up on original assumption made on previous code change, +llc_fixup_skb to reset the offset after skb pull. llc_fixup_skb +assumes the LLC header is at skb->data, and by definition SNAP header +immediately follows. + +Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()") +Signed-off-by: Antonio Pastor +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241225010723.2830290-1-antonio.pastor@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index f4fb309185ce..4229c349651d 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -124,8 +124,8 @@ static inline int llc_fixup_skb(struct sk_buff *skb) + if (unlikely(!pskb_may_pull(skb, llc_len))) + return 0; + +- skb->transport_header += llc_len; + skb_pull(skb, llc_len); ++ skb_reset_transport_header(skb); + if (skb->protocol == htons(ETH_P_802_2)) { + __be16 pdulen; + s32 data_size; +-- +2.39.5 + diff --git a/queue-5.4/net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch b/queue-5.4/net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch new file mode 100644 index 00000000000..87c43470f33 --- /dev/null +++ b/queue-5.4/net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch @@ -0,0 +1,37 @@ +From 4d7aefbcba7ce77bf7e359935708c581d72919d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2020 15:03:36 -0800 +Subject: net/mlx5: Make API mlx5_core_is_ecpf accept const pointer + +From: Parav Pandit + +[ Upstream commit 3b1e58aa832ed537289be6a51a2015309688a90c ] + +Subsequent patch implements helper API which has mlx5_core_dev +as const pointer, make its caller API too const *. + +Signed-off-by: Parav Pandit +Reviewed-by: Bodong Wang +Signed-off-by: Saeed Mahameed +Stable-dep-of: e05feab22fd7 ("RDMA/mlx5: Enforce same type port association for multiport RoCE") +Signed-off-by: Sasha Levin +--- + include/linux/mlx5/driver.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 9744d9a2d71e..882197037654 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -1137,7 +1137,7 @@ static inline bool mlx5_core_is_vf(const struct mlx5_core_dev *dev) + return dev->coredev_type == MLX5_COREDEV_VF; + } + +-static inline bool mlx5_core_is_ecpf(struct mlx5_core_dev *dev) ++static inline bool mlx5_core_is_ecpf(const struct mlx5_core_dev *dev) + { + return dev->caps.embedded_cpu; + } +-- +2.39.5 + diff --git a/queue-5.4/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch b/queue-5.4/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch new file mode 100644 index 00000000000..d85cbcbc595 --- /dev/null +++ b/queue-5.4/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch @@ -0,0 +1,96 @@ +From cd603ec8bfec76d16942b5f0b194cbad72b84467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Dec 2024 00:29:20 +0100 +Subject: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext + +From: Pablo Neira Ayuso + +[ Upstream commit 542ed8145e6f9392e3d0a86a0e9027d2ffd183e4 ] + +Access to genmask field in struct nft_set_ext results in unaligned +atomic read: + +[ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c +[ 72.131036] Mem abort info: +[ 72.131213] ESR = 0x0000000096000021 +[ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits +[ 72.132209] SET = 0, FnV = 0 +[ 72.133216] EA = 0, S1PTW = 0 +[ 72.134080] FSC = 0x21: alignment fault +[ 72.135593] Data abort info: +[ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 +[ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000 +[ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403, ++pte=0068000102bb7707 +[ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP +[...] +[ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2 +[ 72.170509] Tainted: [E]=UNSIGNED_MODULE +[ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023 +[ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] +[ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) +[ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables] +[ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables] +[ 72.172546] sp : ffff800081f2bce0 +[ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038 +[ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78 +[ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78 +[ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000 +[ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978 +[ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0 +[ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000 +[ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000 +[ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000 +[ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004 +[ 72.176207] Call trace: +[ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P) +[ 72.176653] process_one_work+0x178/0x3d0 +[ 72.176831] worker_thread+0x200/0x3f0 +[ 72.176995] kthread+0xe8/0xf8 +[ 72.177130] ret_from_fork+0x10/0x20 +[ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f) +[ 72.177557] ---[ end trace 0000000000000000 ]--- + +Align struct nft_set_ext to word size to address this and +documentation it. + +pahole reports that this increases the size of elements for rhash and +pipapo in 8 bytes on x86_64. + +Fixes: 7ffc7481153b ("netfilter: nft_set_hash: skip duplicated elements pending gc run") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index c50dee30a70c..92551a765a44 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -571,15 +571,18 @@ struct nft_set_ext_tmpl { + /** + * struct nft_set_ext - set extensions + * +- * @genmask: generation mask ++ * @genmask: generation mask, but also flags (see NFT_SET_ELEM_DEAD_BIT) + * @offset: offsets of individual extension types + * @data: beginning of extension data ++ * ++ * This structure must be aligned to word size, otherwise atomic bitops ++ * on genmask field can cause alignment failure on some archs. + */ + struct nft_set_ext { + u8 genmask; + u8 offset[NFT_SET_EXT_NUM]; + char data[]; +-}; ++} __aligned(BITS_PER_LONG / 8); + + static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl) + { +-- +2.39.5 + diff --git a/queue-5.4/netfilter-replace-zero-length-array-with-flexible-ar.patch b/queue-5.4/netfilter-replace-zero-length-array-with-flexible-ar.patch new file mode 100644 index 00000000000..db81c3784a4 --- /dev/null +++ b/queue-5.4/netfilter-replace-zero-length-array-with-flexible-ar.patch @@ -0,0 +1,435 @@ +From 7a130d28e82f2bc826f41255df8bf1da70ad8e4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2020 07:59:14 -0600 +Subject: netfilter: Replace zero-length array with flexible-array member + +From: Gustavo A. R. Silva + +[ Upstream commit 6daf14140129d30207ed6a0a69851fa6a3636bda ] + +The current codebase makes use of the zero-length array language +extension to the C90 standard, but the preferred mechanism to declare +variable-length types such as these ones is a flexible array member[1][2], +introduced in C99: + +struct foo { + int stuff; + struct boo array[]; +}; + +By making use of the mechanism above, we will get a compiler warning +in case the flexible array does not occur last in the structure, which +will help us prevent some kind of undefined behavior bugs from being +inadvertently introduced[3] to the codebase from now on. + +Also, notice that, dynamic memory allocations won't be affected by +this change: + +"Flexible array members have incomplete type, and so the sizeof operator +may not be applied. As a quirk of the original implementation of +zero-length arrays, sizeof evaluates to zero."[1] + +Lastly, fix checkpatch.pl warning +WARNING: __aligned(size) is preferred over __attribute__((aligned(size))) +in net/bridge/netfilter/ebtables.c + +This issue was found with the help of Coccinelle. + +[1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html +[2] https://github.com/KSPP/linux/issues/21 +[3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour") + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Pablo Neira Ayuso +Stable-dep-of: 542ed8145e6f ("netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext") +Signed-off-by: Sasha Levin +--- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/x_tables.h | 8 ++++---- + include/linux/netfilter_arp/arp_tables.h | 2 +- + include/linux/netfilter_bridge/ebtables.h | 2 +- + include/linux/netfilter_ipv4/ip_tables.h | 2 +- + include/linux/netfilter_ipv6/ip6_tables.h | 2 +- + include/net/netfilter/nf_conntrack_extend.h | 2 +- + include/net/netfilter/nf_conntrack_timeout.h | 2 +- + include/net/netfilter/nf_tables.h | 6 +++--- + include/uapi/linux/netfilter_bridge/ebt_among.h | 2 +- + net/bridge/netfilter/ebtables.c | 2 +- + net/ipv4/netfilter/arp_tables.c | 4 ++-- + net/ipv4/netfilter/ip_tables.c | 4 ++-- + net/ipv6/netfilter/ip6_tables.c | 4 ++-- + net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +- + net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +- + net/netfilter/ipset/ip_set_bitmap_port.c | 2 +- + net/netfilter/ipset/ip_set_hash_gen.h | 4 ++-- + net/netfilter/nfnetlink_acct.c | 2 +- + net/netfilter/xt_hashlimit.c | 2 +- + net/netfilter/xt_recent.c | 4 ++-- + 21 files changed, 31 insertions(+), 31 deletions(-) + +diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h +index 35342fb48866..ef6a9d082c2c 100644 +--- a/include/linux/netfilter/ipset/ip_set.h ++++ b/include/linux/netfilter/ipset/ip_set.h +@@ -98,7 +98,7 @@ struct ip_set_counter { + + struct ip_set_comment_rcu { + struct rcu_head rcu; +- char str[0]; ++ char str[]; + }; + + struct ip_set_comment { +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h +index 04e7f5630509..e66ef9bf6ff3 100644 +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -264,7 +264,7 @@ struct xt_table_info { + unsigned int stacksize; + void ***jumpstack; + +- unsigned char entries[0] __aligned(8); ++ unsigned char entries[] __aligned(8); + }; + + int xt_register_target(struct xt_target *target); +@@ -464,7 +464,7 @@ struct compat_xt_entry_match { + } kernel; + u_int16_t match_size; + } u; +- unsigned char data[0]; ++ unsigned char data[]; + }; + + struct compat_xt_entry_target { +@@ -480,7 +480,7 @@ struct compat_xt_entry_target { + } kernel; + u_int16_t target_size; + } u; +- unsigned char data[0]; ++ unsigned char data[]; + }; + + /* FIXME: this works only on 32 bit tasks +@@ -494,7 +494,7 @@ struct compat_xt_counters { + struct compat_xt_counters_info { + char name[XT_TABLE_MAXNAMELEN]; + compat_uint_t num_counters; +- struct compat_xt_counters counters[0]; ++ struct compat_xt_counters counters[]; + }; + + struct _compat_xt_align { +diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h +index 6988cf9ffe3a..26a13294318c 100644 +--- a/include/linux/netfilter_arp/arp_tables.h ++++ b/include/linux/netfilter_arp/arp_tables.h +@@ -68,7 +68,7 @@ struct compat_arpt_entry { + __u16 next_offset; + compat_uint_t comefrom; + struct compat_xt_counters counters; +- unsigned char elems[0]; ++ unsigned char elems[]; + }; + + static inline struct xt_entry_target * +diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h +index f0d846df3a42..a18fb73a2b77 100644 +--- a/include/linux/netfilter_bridge/ebtables.h ++++ b/include/linux/netfilter_bridge/ebtables.h +@@ -85,7 +85,7 @@ struct ebt_table_info { + /* room to maintain the stack used for jumping from and into udc */ + struct ebt_chainstack **chainstack; + char *entries; +- struct ebt_counter counters[0] ____cacheline_aligned; ++ struct ebt_counter counters[] ____cacheline_aligned; + }; + + struct ebt_table { +diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h +index e9e1ed74cdf1..b394bd4f68a3 100644 +--- a/include/linux/netfilter_ipv4/ip_tables.h ++++ b/include/linux/netfilter_ipv4/ip_tables.h +@@ -76,7 +76,7 @@ struct compat_ipt_entry { + __u16 next_offset; + compat_uint_t comefrom; + struct compat_xt_counters counters; +- unsigned char elems[0]; ++ unsigned char elems[]; + }; + + /* Helper functions */ +diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h +index 78ab959c4575..8225f7821a29 100644 +--- a/include/linux/netfilter_ipv6/ip6_tables.h ++++ b/include/linux/netfilter_ipv6/ip6_tables.h +@@ -43,7 +43,7 @@ struct compat_ip6t_entry { + __u16 next_offset; + compat_uint_t comefrom; + struct compat_xt_counters counters; +- unsigned char elems[0]; ++ unsigned char elems[]; + }; + + static inline struct xt_entry_target * +diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h +index 112a6f40dfaf..d0e87120d2f4 100644 +--- a/include/net/netfilter/nf_conntrack_extend.h ++++ b/include/net/netfilter/nf_conntrack_extend.h +@@ -46,7 +46,7 @@ struct nf_ct_ext { + struct rcu_head rcu; + u8 offset[NF_CT_EXT_NUM]; + u8 len; +- char data[0]; ++ char data[]; + }; + + static inline bool __nf_ct_ext_exist(const struct nf_ct_ext *ext, u8 id) +diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h +index 6dd72396f534..659b0ea25b4d 100644 +--- a/include/net/netfilter/nf_conntrack_timeout.h ++++ b/include/net/netfilter/nf_conntrack_timeout.h +@@ -14,7 +14,7 @@ + struct nf_ct_timeout { + __u16 l3num; + const struct nf_conntrack_l4proto *l4proto; +- char data[0]; ++ char data[]; + }; + + struct ctnl_timeout { +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 648aac42dfec..c50dee30a70c 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -226,7 +226,7 @@ int nft_parse_register_store(const struct nft_ctx *ctx, + */ + struct nft_userdata { + u8 len; +- unsigned char data[0]; ++ unsigned char data[]; + }; + + /** +@@ -578,7 +578,7 @@ struct nft_set_ext_tmpl { + struct nft_set_ext { + u8 genmask; + u8 offset[NFT_SET_EXT_NUM]; +- char data[0]; ++ char data[]; + }; + + static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl) +@@ -1357,7 +1357,7 @@ struct nft_trans { + int msg_type; + bool put_net; + struct nft_ctx ctx; +- char data[0]; ++ char data[]; + }; + + struct nft_trans_rule { +diff --git a/include/uapi/linux/netfilter_bridge/ebt_among.h b/include/uapi/linux/netfilter_bridge/ebt_among.h +index 9acf757bc1f7..73b26a280c4f 100644 +--- a/include/uapi/linux/netfilter_bridge/ebt_among.h ++++ b/include/uapi/linux/netfilter_bridge/ebt_among.h +@@ -40,7 +40,7 @@ struct ebt_mac_wormhash_tuple { + struct ebt_mac_wormhash { + int table[257]; + int poolsize; +- struct ebt_mac_wormhash_tuple pool[0]; ++ struct ebt_mac_wormhash_tuple pool[]; + }; + + #define ebt_mac_wormhash_size(x) ((x) ? sizeof(struct ebt_mac_wormhash) \ +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index f6853fc0fcc0..9d07cf277759 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1581,7 +1581,7 @@ struct compat_ebt_entry_mwt { + compat_uptr_t ptr; + } u; + compat_uint_t match_size; +- compat_uint_t data[0] __attribute__ ((aligned (__alignof__(struct compat_ebt_replace)))); ++ compat_uint_t data[] __aligned(__alignof__(struct compat_ebt_replace)); + }; + + /* account for possible padding between match_size and ->data */ +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index a6f2e5bf7045..c62c9713e7dd 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1057,7 +1057,7 @@ struct compat_arpt_replace { + u32 underflow[NF_ARP_NUMHOOKS]; + u32 num_counters; + compat_uptr_t counters; +- struct compat_arpt_entry entries[0]; ++ struct compat_arpt_entry entries[]; + }; + + static inline void compat_release_entry(struct compat_arpt_entry *e) +@@ -1385,7 +1385,7 @@ static int compat_copy_entries_to_user(unsigned int total_size, + struct compat_arpt_get_entries { + char name[XT_TABLE_MAXNAMELEN]; + compat_uint_t size; +- struct compat_arpt_entry entrytable[0]; ++ struct compat_arpt_entry entrytable[]; + }; + + static int compat_get_entries(struct net *net, +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 0076449eea35..c21ba5e62fff 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1211,7 +1211,7 @@ struct compat_ipt_replace { + u32 underflow[NF_INET_NUMHOOKS]; + u32 num_counters; + compat_uptr_t counters; /* struct xt_counters * */ +- struct compat_ipt_entry entries[0]; ++ struct compat_ipt_entry entries[]; + }; + + static int +@@ -1564,7 +1564,7 @@ compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, + struct compat_ipt_get_entries { + char name[XT_TABLE_MAXNAMELEN]; + compat_uint_t size; +- struct compat_ipt_entry entrytable[0]; ++ struct compat_ipt_entry entrytable[]; + }; + + static int +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 41268612bdd4..010a70402828 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1228,7 +1228,7 @@ struct compat_ip6t_replace { + u32 underflow[NF_INET_NUMHOOKS]; + u32 num_counters; + compat_uptr_t counters; /* struct xt_counters * */ +- struct compat_ip6t_entry entries[0]; ++ struct compat_ip6t_entry entries[]; + }; + + static int +@@ -1574,7 +1574,7 @@ compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, + struct compat_ip6t_get_entries { + char name[XT_TABLE_MAXNAMELEN]; + compat_uint_t size; +- struct compat_ip6t_entry entrytable[0]; ++ struct compat_ip6t_entry entrytable[]; + }; + + static int +diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c +index e758b8120020..8fb170c7327f 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_ip.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c +@@ -46,7 +46,7 @@ struct bitmap_ip { + u8 netmask; /* subnet netmask */ + struct timer_list gc; /* garbage collection */ + struct ip_set *set; /* attached to this ip_set */ +- unsigned char extensions[0] /* data extensions */ ++ unsigned char extensions[] /* data extensions */ + __aligned(__alignof__(u64)); + }; + +diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +index ae7cdc0d0f29..ebbcb9a16fe9 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +@@ -49,7 +49,7 @@ struct bitmap_ipmac { + size_t memsize; /* members size */ + struct timer_list gc; /* garbage collector */ + struct ip_set *set; /* attached to this ip_set */ +- unsigned char extensions[0] /* MAC + data extensions */ ++ unsigned char extensions[] /* MAC + data extensions */ + __aligned(__alignof__(u64)); + }; + +diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c +index d4a14750f5c4..1993f2783774 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_port.c ++++ b/net/netfilter/ipset/ip_set_bitmap_port.c +@@ -37,7 +37,7 @@ struct bitmap_port { + size_t memsize; /* members size */ + struct timer_list gc; /* garbage collection */ + struct ip_set *set; /* attached to this ip_set */ +- unsigned char extensions[0] /* data extensions */ ++ unsigned char extensions[] /* data extensions */ + __aligned(__alignof__(u64)); + }; + +diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h +index 4346cae25a4a..30b8b3fad150 100644 +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -76,7 +76,7 @@ struct hbucket { + DECLARE_BITMAP(used, AHASH_MAX_TUNED); + u8 size; /* size of the array */ + u8 pos; /* position of the first free entry */ +- unsigned char value[0] /* the array of the values */ ++ unsigned char value[] /* the array of the values */ + __aligned(__alignof__(u64)); + }; + +@@ -109,7 +109,7 @@ struct htable { + u8 htable_bits; /* size of hash table == 2^htable_bits */ + u32 maxelem; /* Maxelem per region */ + struct ip_set_region *hregion; /* Region locks and ext sizes */ +- struct hbucket __rcu *bucket[0]; /* hashtable buckets */ ++ struct hbucket __rcu *bucket[]; /* hashtable buckets */ + }; + + #define hbucket(h, i) ((h)->bucket[i]) +diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c +index 4b46421c5e17..ed4bde3c8850 100644 +--- a/net/netfilter/nfnetlink_acct.c ++++ b/net/netfilter/nfnetlink_acct.c +@@ -33,7 +33,7 @@ struct nf_acct { + refcount_t refcnt; + char name[NFACCT_NAME_MAX]; + struct rcu_head rcu_head; +- char data[0]; ++ char data[]; + }; + + struct nfacct_filter { +diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c +index 8c835ad63729..9c5cfd74a0ee 100644 +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -132,7 +132,7 @@ struct xt_hashlimit_htable { + const char *name; + struct net *net; + +- struct hlist_head hash[0]; /* hashtable itself */ ++ struct hlist_head hash[]; /* hashtable itself */ + }; + + static int +diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c +index 6fc0deb11aff..dae284e0ed15 100644 +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -71,7 +71,7 @@ struct recent_entry { + u_int8_t ttl; + u_int8_t index; + u_int16_t nstamps; +- unsigned long stamps[0]; ++ unsigned long stamps[]; + }; + + struct recent_table { +@@ -82,7 +82,7 @@ struct recent_table { + unsigned int entries; + u8 nstamps_max_mask; + struct list_head lru_list; +- struct list_head iphash[0]; ++ struct list_head iphash[]; + }; + + struct recent_net { +-- +2.39.5 + diff --git a/queue-5.4/netrom-check-buffer-length-before-accessing-it.patch b/queue-5.4/netrom-check-buffer-length-before-accessing-it.patch new file mode 100644 index 00000000000..4a0f801489a --- /dev/null +++ b/queue-5.4/netrom-check-buffer-length-before-accessing-it.patch @@ -0,0 +1,105 @@ +From b6f5f8b3161a61d19851364fd051d9a2331ed15e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2024 08:23:07 +0000 +Subject: netrom: check buffer length before accessing it + +From: Ilya Shchipletsov + +[ Upstream commit a4fd163aed2edd967a244499754dec991d8b4c7d ] + +Syzkaller reports an uninit value read from ax25cmp when sending raw message +through ieee802154 implementation. + +===================================================== +BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 + ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 + nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601 + nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774 + nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144 + __netdev_start_xmit include/linux/netdevice.h:4940 [inline] + netdev_start_xmit include/linux/netdevice.h:4954 [inline] + xmit_one net/core/dev.c:3548 [inline] + dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 + __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 + dev_queue_xmit include/linux/netdevice.h:3134 [inline] + raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299 + ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 + __sys_sendmsg net/socket.c:2667 [inline] + __do_sys_sendmsg net/socket.c:2676 [inline] + __se_sys_sendmsg net/socket.c:2674 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: + slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 + slab_alloc_node mm/slub.c:3478 [inline] + kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 + __alloc_skb+0x318/0x740 net/core/skbuff.c:651 + alloc_skb include/linux/skbuff.h:1286 [inline] + alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 + sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 + sock_alloc_send_skb include/net/sock.h:1884 [inline] + raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282 + ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 + __sys_sendmsg net/socket.c:2667 [inline] + __do_sys_sendmsg net/socket.c:2676 [inline] + __se_sys_sendmsg net/socket.c:2674 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 +===================================================== + +This issue occurs because the skb buffer is too small, and it's actual +allocation is aligned. This hides an actual issue, which is that nr_route_frame +does not validate the buffer size before using it. + +Fix this issue by checking skb->len before accessing any fields in skb->data. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Nikita Marushkin +Signed-off-by: Nikita Marushkin +Signed-off-by: Ilya Shchipletsov +Link: https://patch.msgid.link/20241219082308.3942-1-rabbelkin@mail.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netrom/nr_route.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index 85e4637dc8ab..e1a682690154 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -751,6 +751,12 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) + int ret; + struct sk_buff *skbn; + ++ /* ++ * Reject malformed packets early. Check that it contains at least 2 ++ * addresses and 1 byte more for Time-To-Live ++ */ ++ if (skb->len < 2 * sizeof(ax25_address) + 1) ++ return 0; + + nr_src = (ax25_address *)(skb->data + 0); + nr_dest = (ax25_address *)(skb->data + 7); +-- +2.39.5 + diff --git a/queue-5.4/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch b/queue-5.4/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch new file mode 100644 index 00000000000..da3e0dda679 --- /dev/null +++ b/queue-5.4/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch @@ -0,0 +1,64 @@ +From 2a517d09709763514d7ce942a9b7f4cb68f21c05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 14:09:28 +0530 +Subject: RDMA/bnxt_re: Add check for path mtu in modify_qp + +From: Saravanan Vajravel + +[ Upstream commit 798653a0ee30d3cd495099282751c0f248614ae7 ] + +When RDMA app configures path MTU, add a check in modify_qp verb +to make sure that it doesn't go beyond interface MTU. If this +check fails, driver will fail the modify_qp verb. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Reviewed-by: Kalesh AP +Signed-off-by: Saravanan Vajravel +Signed-off-by: Selvin Xavier +Link: https://patch.msgid.link/20241211083931.968831-3-kalesh-anakkur.purayil@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 26 +++++++++++++----------- + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index eca36da7f9d4..d0ed8e14e3da 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -1852,18 +1852,20 @@ int bnxt_re_modify_qp(struct ib_qp *ib_qp, struct ib_qp_attr *qp_attr, + } + } + +- if (qp_attr_mask & IB_QP_PATH_MTU) { +- qp->qplib_qp.modify_flags |= +- CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU; +- qp->qplib_qp.path_mtu = __from_ib_mtu(qp_attr->path_mtu); +- qp->qplib_qp.mtu = ib_mtu_enum_to_int(qp_attr->path_mtu); +- } else if (qp_attr->qp_state == IB_QPS_RTR) { +- qp->qplib_qp.modify_flags |= +- CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU; +- qp->qplib_qp.path_mtu = +- __from_ib_mtu(iboe_get_mtu(rdev->netdev->mtu)); +- qp->qplib_qp.mtu = +- ib_mtu_enum_to_int(iboe_get_mtu(rdev->netdev->mtu)); ++ if (qp_attr->qp_state == IB_QPS_RTR) { ++ enum ib_mtu qpmtu; ++ ++ qpmtu = iboe_get_mtu(rdev->netdev->mtu); ++ if (qp_attr_mask & IB_QP_PATH_MTU) { ++ if (ib_mtu_enum_to_int(qp_attr->path_mtu) > ++ ib_mtu_enum_to_int(qpmtu)) ++ return -EINVAL; ++ qpmtu = qp_attr->path_mtu; ++ } ++ ++ qp->qplib_qp.modify_flags |= CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU; ++ qp->qplib_qp.path_mtu = __from_ib_mtu(qpmtu); ++ qp->qplib_qp.mtu = ib_mtu_enum_to_int(qpmtu); + } + + if (qp_attr_mask & IB_QP_TIMEOUT) { +-- +2.39.5 + diff --git a/queue-5.4/rdma-bnxt_re-fix-max_qp_wrs-reported.patch b/queue-5.4/rdma-bnxt_re-fix-max_qp_wrs-reported.patch new file mode 100644 index 00000000000..36cfa574446 --- /dev/null +++ b/queue-5.4/rdma-bnxt_re-fix-max_qp_wrs-reported.patch @@ -0,0 +1,40 @@ +From 6ca4fcee741c9e0b022241329fcce4cefaa809db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Nov 2020 05:13:06 -0800 +Subject: RDMA/bnxt_re: Fix max_qp_wrs reported + +From: Selvin Xavier + +[ Upstream commit c63e1c4dfc33d1bdae395ee8fbcbfad4830b12c0 ] + +While creating qps, the driver adds one extra entry to the sq size passed +by the ULPs in order to avoid queue full condition. When ULPs creates QPs +with max_qp_wr reported, driver creates QP with 1 more than the max_wqes +supported by HW. Create QP fails in this case. To avoid this error, reduce +1 entry in max_qp_wqes and report it to the stack. + +Link: https://lore.kernel.org/r/1606741986-16477-1-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Devesh Sharma +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +index 079aaaaffec7..f623f881a95b 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -118,7 +118,7 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw, + * 128 WQEs needs to be reserved for the HW (8916). Prevent + * reporting the max number + */ +- attr->max_qp_wqes -= BNXT_QPLIB_RESERVED_QP_WRS; ++ attr->max_qp_wqes -= BNXT_QPLIB_RESERVED_QP_WRS + 1; + attr->max_qp_sges = bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx) ? + 6 : sb->max_sge; + attr->max_cq = le32_to_cpu(sb->max_cq); +-- +2.39.5 + diff --git a/queue-5.4/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch b/queue-5.4/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch new file mode 100644 index 00000000000..bc4d7d5edaa --- /dev/null +++ b/queue-5.4/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch @@ -0,0 +1,41 @@ +From eca3b2e8e91fc533dc4e9a6ad5fa72bd73ce8000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 14:09:31 +0530 +Subject: RDMA/bnxt_re: Fix reporting hw_ver in query_device + +From: Kalesh AP + +[ Upstream commit 7179fe0074a3c962e43a9e51169304c4911989ed ] + +Driver currently populates subsystem_device id in the +"hw_ver" field of ib_attr structure in query_device. + +Updated to populate PCI revision ID. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Reviewed-by: Preethi G +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Link: https://patch.msgid.link/20241211083931.968831-6-kalesh-anakkur.purayil@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index d0ed8e14e3da..563a0f37810d 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -137,7 +137,7 @@ int bnxt_re_query_device(struct ib_device *ibdev, + + ib_attr->vendor_id = rdev->en_dev->pdev->vendor; + ib_attr->vendor_part_id = rdev->en_dev->pdev->device; +- ib_attr->hw_ver = rdev->en_dev->pdev->subsystem_device; ++ ib_attr->hw_ver = rdev->en_dev->pdev->revision; + ib_attr->max_qp = dev_attr->max_qp; + ib_attr->max_qp_wr = dev_attr->max_qp_wqes; + ib_attr->device_cap_flags = +-- +2.39.5 + diff --git a/queue-5.4/rdma-mlx5-enforce-same-type-port-association-for-mul.patch b/queue-5.4/rdma-mlx5-enforce-same-type-port-association-for-mul.patch new file mode 100644 index 00000000000..32885cd7542 --- /dev/null +++ b/queue-5.4/rdma-mlx5-enforce-same-type-port-association-for-mul.patch @@ -0,0 +1,69 @@ +From 63aebbe3300520a78874e47a0ef8d454dfc6f537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 15:45:37 +0200 +Subject: RDMA/mlx5: Enforce same type port association for multiport RoCE + +From: Patrisious Haddad + +[ Upstream commit e05feab22fd7dabcd6d272c4e2401ec1acdfdb9b ] + +Different core device types such as PFs and VFs shouldn't be affiliated +together since they have different capabilities, fix that by enforcing +type check before doing the affiliation. + +Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE") +Reviewed-by: Mark Bloch +Signed-off-by: Patrisious Haddad +Link: https://patch.msgid.link/88699500f690dff1c1852c1ddb71f8a1cc8b956e.1733233480.git.leonro@nvidia.com +Reviewed-by: Mateusz Polchlopek +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 6 ++++-- + include/linux/mlx5/driver.h | 6 ++++++ + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 5e00acb9bb31..fb5a1b4abcbc 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -5980,7 +5980,8 @@ static int mlx5_ib_init_multiport_master(struct mlx5_ib_dev *dev) + list_for_each_entry(mpi, &mlx5_ib_unaffiliated_port_list, + list) { + if (dev->sys_image_guid == mpi->sys_image_guid && +- (mlx5_core_native_port_num(mpi->mdev) - 1) == i) { ++ (mlx5_core_native_port_num(mpi->mdev) - 1) == i && ++ mlx5_core_same_coredev_type(dev->mdev, mpi->mdev)) { + bound = mlx5_ib_bind_slave_port(dev, mpi); + } + +@@ -6874,7 +6875,8 @@ static void *mlx5_ib_add_slave_port(struct mlx5_core_dev *mdev) + + mutex_lock(&mlx5_ib_multiport_mutex); + list_for_each_entry(dev, &mlx5_ib_dev_list, ib_dev_list) { +- if (dev->sys_image_guid == mpi->sys_image_guid) ++ if (dev->sys_image_guid == mpi->sys_image_guid && ++ mlx5_core_same_coredev_type(dev->mdev, mpi->mdev)) + bound = mlx5_ib_bind_slave_port(dev, mpi); + + if (bound) { +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 882197037654..ddcbc910d909 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -1137,6 +1137,12 @@ static inline bool mlx5_core_is_vf(const struct mlx5_core_dev *dev) + return dev->coredev_type == MLX5_COREDEV_VF; + } + ++static inline bool mlx5_core_same_coredev_type(const struct mlx5_core_dev *dev1, ++ const struct mlx5_core_dev *dev2) ++{ ++ return dev1->coredev_type == dev2->coredev_type; ++} ++ + static inline bool mlx5_core_is_ecpf(const struct mlx5_core_dev *dev) + { + return dev->caps.embedded_cpu; +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 1ae0ca8c830..bf789c74546 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -61,3 +61,19 @@ skb_expand_head-adjust-skb-truesize-incorrectly.patch ipv6-prevent-possible-uaf-in-ip6_xmit.patch selinux-ignore-unknown-extended-permissions.patch drivers-hv-util-avoid-accessing-a-ringbuffer-not-ini.patch +ib-mlx5-introduce-and-use-mlx5_core_is_vf.patch +net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch +rdma-mlx5-enforce-same-type-port-association-for-mul.patch +rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch +rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch +rdma-bnxt_re-fix-max_qp_wrs-reported.patch +drm-bridge-adv7511-enable-spdif-dai.patch +drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch +netrom-check-buffer-length-before-accessing-it.patch +netfilter-replace-zero-length-array-with-flexible-ar.patch +netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch +net-llc-reset-skb-transport_header.patch +alsa-usb-audio-us16x08-initialize-array-before-use.patch +af_packet-fix-vlan_get_tci-vs-msg_peek.patch +af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch +ila-serialize-calls-to-nf_register_net_hooks.patch